What happened
Attackers are exploiting a critical vulnerability in the React Native Metro bundler to breach developer systems and execute malicious commands. According to the report by GreyNoise, the flaw exists in how Metro handles symbolic links when resolving module paths, allowing specially crafted packages to trigger arbitrary code execution during dependency installation or project builds. Threat actors have been observed publishing malicious npm packages that take advantage of this vulnerability, luring developers into adding them as dependencies in open-source projects or development environments. Once incorporated, the packages can execute commands on the host machine, potentially compromising developer workstations and injecting further malware or backdoor access. The activity was detected through incident reports from developers who noticed unusual command executions after installing seemingly innocuous dependencies. The vulnerability impacts development pipelines and build environments that rely on the Metro bundler for React Native projects.
Who is affected
Developers and development environments that use the React Native Metro bundler are affected if they install or include malicious packages exploiting the vulnerability, exposing build systems and workstations to remote code execution.
Why CISOs should care
Exploitation of development tooling can corrupt software supply chains, compromise build environments, and introduce persistent threats into production artifacts, undermining development workflows and downstream application integrity.
3 practical actions
- Audit dependency sources. Review npm dependencies for unverified or suspicious packages before inclusion.
- Isolate build environments. Use containerized or sandboxed build runners to limit impact of malicious code.
- Monitor for unauthorized commands. Detect unexpected command execution in developer machines and CI/CD pipelines.