Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package

Hackers are actively exploiting a critical remote code execution (RCE) vulnerability in the popular React Native CLI npm package, marking another significant supply chain security incident affecting the JavaScript ecosystem.

Metro4Shell Vulnerability Under Active Attack

Cybersecurity company VulnCheck has detected real-world exploitation of CVE-2025-11953, dubbed "Metro4Shell," against its honeypot network since December 21, 2025. The vulnerability affects the Metro Development Server component within the "@react-native-community/cli" package and carries a CVSS score of 9.8, indicating critical severity.

The flaw allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host system. Despite the vulnerability being publicly documented by JFrog in November 2025, VulnCheck notes that "activity has yet to see broad public acknowledgment," suggesting many organizations may remain unaware of the active threat.

Attack Chain and Payload Delivery

In the observed attacks, threat actors weaponized the vulnerability to deliver a Base64-encoded PowerShell script. Once decoded and executed, the script performs several malicious actions:

• Creates Microsoft Defender Antivirus exclusions for the current working directory and the temporary folder ("C:\Users\\AppData\Local\Temp")
• Establishes a raw TCP connection to an attacker-controlled host and port ("8.218.43[.]248:60124")
• Retrieves data from the remote server, writes it to a file in the temporary directory, and executes it

The downloaded binary is written in Rust and includes anti-analysis checks specifically designed to hinder static inspection by security researchers.

Attack Infrastructure

VulnCheck identified the following IP addresses as sources of the attacks:

• 5.109.182[.]231
• 223.6.249[.]141
• 134.209.69[.]155

Operational Campaign, Not Testing

Describing the activity as neither experimental nor exploratory, VulnCheck emphasized that the delivered payloads were "consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing."

This consistency suggests the attackers have established a persistent operational campaign rather than conducting opportunistic testing or reconnaissance.

Development Infrastructure as Production Target

The Metro4Shell exploitation reinforces a critical security lesson that defenders continue to relearn: "Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent."

This pattern has been observed repeatedly in supply chain attacks, where development tools and services exposed to the internet become attractive targets for threat actors seeking to compromise downstream applications and systems.

Mitigation and Protection

Organizations using React Native CLI should immediately:

1. Audit exposed development servers - Identify any Metro Development Servers accessible from the internet
2. Apply security updates - Monitor for patches from the React Native community
3. Implement network segmentation - Ensure development infrastructure is properly isolated
4. Review access controls - Restrict who can access development environments
5. Monitor for suspicious activity - Look for unusual PowerShell execution and network connections to known malicious IP addresses

Broader Implications for Supply Chain Security

The Metro4Shell exploitation adds to a growing list of high-profile supply chain attacks targeting npm packages and development tools. As organizations increasingly rely on open-source components and cloud-based development workflows, securing the software supply chain has become paramount.

This incident underscores the need for comprehensive security measures including dependency scanning, runtime protection, and secure development practices to protect against increasingly sophisticated supply chain attacks.