Risk actors have been noticed exploiting a essential safety flaw impacting the Metro Growth Server within the common “@react-native-community/cli” npm package deal.
Cybersecurity firm VulnCheck mentioned it first noticed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS rating of 9.8, the vulnerability permits distant unauthenticated attackers to execute arbitrary working system instructions on the underlying host. Particulars of the flaw had been first documented by JFrog in November 2025.
Regardless of greater than a month after preliminary exploitation within the wild, the “exercise has but to see broad public acknowledgment,” it added.
Within the assault detected in opposition to its honeypot community, the menace actors have weaponized the flaw to ship a Base64-encoded PowerShell script that, as soon as parsed, is configured to carry out a sequence of actions, together with Microsoft Defender Antivirus exclusions for the present working listing and the momentary folder (“C:Customers<Username>AppDataLocalTemp”).
The PowerShell script additionally establishes a uncooked TCP connection to an attacker-controlled host and port (“8.218.43[.]248:60124”) and sends a request to retrieve information, write it to a file within the momentary listing, and execute it. The downloaded binary is predicated in Rust, and options anti-analysis checks to hinder static inspection.
The assaults have been discovered to originate from the next IP addresses –
- 5.109.182[.]231
- 223.6.249[.]141
- 134.209.69[.]155
Describing the exercise as neither experimental nor exploratory, VulnCheck mentioned the delivered payloads had been “constant throughout a number of weeks of exploitation, indicating operational use moderately than vulnerability probing or proof-of-concept testing.”
“CVE-2025-11953 isn’t outstanding as a result of it exists. It’s outstanding as a result of it reinforces a sample defenders proceed to relearn. Growth infrastructure turns into manufacturing infrastructure the second it’s reachable, no matter intent.”
