A critical vulnerability identified as CVE-2025-11953, also known as Metro4Shell, has been exploited by threat actors targeting the Metro Development Server within the @react-native-community/cli npm package. Cybersecurity firm VulnCheck reported that the exploit was first detected on December 21, 2025, with a severity rating of 9.8 on the CVSS scale.
The security flaw enables remote attackers to execute arbitrary commands on affected systems without authentication. Despite its discovery in November 2025 by JFrog, the exploitation has not received widespread attention in the public domain. Evidence from VulnCheck's honeypot network indicates that attackers have utilized the vulnerability to deploy a Base64-encoded PowerShell script designed to perform various malicious actions, including establishing a connection to an external server.
This server, designated as 8.218.43[.]248:60124, is used to receive commands and execute downloaded binaries, which are crafted in Rust and include anti-analysis measures. The origins of these attacks have been traced back to multiple IP addresses, including 5.109.182[.]231 and 223.6.249[.]141. VulnCheck emphasized that the consistent nature of the payloads over several weeks indicates a sustained operational approach rather than mere testing of the vulnerability.