Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package - The Hacker News

Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package Ravie LakshmananFeb 03, 2026Open Source / Vulnerability Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular "@react-native-community/cli" npm package. Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by JFrog in November 2025. Despite more than a month after initial exploitation in the wild, the "activity has yet to see broad public acknowledgment," it added. In the attack detected against its honeypot network, the threat actors have weaponized the flaw to deliver a Base64-encoded PowerShell script that, once parsed, is configured to perform a series of actions, including Microsoft Defender Antivirus exclusions for the current working directory and the temporary folder ("C:\Users\<Username>\AppData\Local\Temp"). The PowerShell script also establishes a raw TCP connection to an attacker-controlled host and port ("8.218.43[.]248:60124") and sends a request to retrieve data, write it to a file in the temporary directory, and execute it. The downloaded binary is based in Rust, and features anti-analysis checks to hinder static inspection. The attacks have been found to originate from the following IP addresses - 5.109.182[.]231 223.6.249[.]141 134.209.69[.]155 Describing the activity as neither experimental nor exploratory, VulnCheck said the delivered payloads were "consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing." "CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent." Update The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on February 5, 2026, added CVE-2025-11953 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by February 26, 2026. (The story was updated after publication on February 6, 2026, to include details of CISA's alert.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, Malware, NPM, Open Source, powershell, React Native, remote code execution, Supply Chain, Threat Intelligence, Vulnerability ⚡ Top Stories This Week ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is Trellix Confirms Source Code Breach With Unauthorized Repository Access Day Zero Readiness: The Operational Gaps That Break Incident Response PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Load More ▼ ⭐ Featured Resources [Demo] Discover How to Control Autonomous Identity Risks Effectively [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster