Threat actors have been observed exploiting a critical security flaw affecting Metro Development Server in the popular “@react-native-community/cli” npm package.
Cybersecurity company VulnCheck announced on December 21, 2025 that it observed the first exploit of CVE-2025-11953 (also known as Metro4Shell). With a CVSS score of 9.8, this vulnerability allows an unauthenticated, remote attacker to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by JFrog in November 2025.
Even though more than a month has passed since the first exploit in the wild, “this activity remains largely unknown to the public,” the report added.
In attacks detected against honeypot networks, attackers are armed with this flaw to distribute a Base64-encoded PowerShell script that, when parsed, is configured to perform a series of actions, including Microsoft Defender Antivirus exclusions for the current working directory and temporary folder (‘C:\Users\\AppData\Local\Temp’).
The PowerShell script also establishes a raw TCP connection to an attacker-controlled host and port (‘8.218.43′[.]248:60124″), sends a request to retrieve the data, writes it to a file in a temporary directory, and executes it. The downloaded binary is based on Rust and features anti-parse checks that prevent static inspection.
The attack was found to originate from the following IP addresses:
5.109.182[.]231 223.6.249[.]141 134.209.69[.]155
VulnCheck said the activity was neither experimental nor exploratory, and the payloads delivered were “consistent over several weeks of exploitation, indicating operational use rather than vulnerability research or proof-of-concept testing.”
“CVE-2025-11953 is noteworthy not because it exists; it is noteworthy because it reinforces a pattern that defenders keep relearning. Development infrastructure becomes production infrastructure the moment it arrives, regardless of intent.”
Source link
