A critical vulnerability in React Native's Metro development server is being actively exploited to deliver malware to Windows and Linux machines. The flaw, tracked as CVE-2025-11953, allows unauthenticated attackers to execute arbitrary commands through OS command injection. Researchers discovered exploitation attempts as early as December, with attacks disabling Microsoft Defender protections and delivering a Rust-based payload with anti-analysis features. Despite its severity and ongoing exploitation, the vulnerability has not received widespread public acknowledgment. The bug affects the React Native Community command line tool, a popular npm package with millions of weekly downloads, highlighting the potential impact on developer tooling and the need for increased awareness and security measures.