Metro4Shell RCE Flaw Exploited in React Native CLI npm Package

First reported

03.02.2026 16:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are actively exploiting a critical remote code execution (RCE) flaw (CVE-2025-11953, CVSS 9.8) in the Metro Development Server within the @react-native-community/cli npm package. First observed on December 21, 2025, the vulnerability allows unauthenticated attackers to execute arbitrary OS commands. Exploits deliver a PowerShell script that disables Microsoft Defender exclusions and downloads a Rust-based binary with anti-analysis features from an attacker-controlled host. The attacks originate from multiple IP addresses and indicate operational use rather than experimental probing.

Timeline

03.02.2026 16:00 1 articles · 11h ago

Metro4Shell Exploited to Deliver PowerShell Script and Rust-Based Binary
Threat actors have been exploiting CVE-2025-11953 (Metro4Shell) in the @react-native-community/cli npm package since December 21, 2025. The flaw allows unauthenticated remote code execution, with attacks delivering a PowerShell script that disables Microsoft Defender exclusions and downloads a Rust-based binary. The attacks originate from multiple IP addresses and indicate operational use.
Show sources

Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package — thehackernews.com — 03.02.2026 16:00
Open in new tab

Information Snippets

CVE-2025-11953 (Metro4Shell) is a critical RCE flaw in the Metro Development Server of the @react-native-community/cli npm package.
First reported: 03.02.2026 16:00

1 source, 1 article
Show sources
- Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package — thehackernews.com — 03.02.2026 16:00
The vulnerability has a CVSS score of 9.8, allowing unauthenticated remote code execution.
First reported: 03.02.2026 16:00

1 source, 1 article
Show sources
- Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package — thehackernews.com — 03.02.2026 16:00
First exploitation observed on December 21, 2025, with details documented by JFrog in November 2025.
First reported: 03.02.2026 16:00

1 source, 1 article
Show sources
- Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package — thehackernews.com — 03.02.2026 16:00
Exploits deliver a Base64-encoded PowerShell script that disables Microsoft Defender exclusions and downloads a Rust-based binary.
First reported: 03.02.2026 16:00

1 source, 1 article
Show sources
- Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package — thehackernews.com — 03.02.2026 16:00
The Rust-based binary features anti-analysis checks and establishes a TCP connection to an attacker-controlled host (8.218.43[.]248:60124).
First reported: 03.02.2026 16:00

1 source, 1 article
Show sources
- Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package — thehackernews.com — 03.02.2026 16:00
Attacks originate from IP addresses 5.109.182[.]231, 223.6.249[.]141, and 134.209.69[.]155.
First reported: 03.02.2026 16:00

1 source, 1 article
Show sources
- Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package — thehackernews.com — 03.02.2026 16:00
The attacks indicate operational use rather than experimental or exploratory activity.
First reported: 03.02.2026 16:00

1 source, 1 article
Show sources
- Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package — thehackernews.com — 03.02.2026 16:00

Summary

Timeline

Metro4Shell Exploited to Deliver PowerShell Script and Rust-Based Binary

Information Snippets