EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

CVE-2025-11953 “Metro4Shell” in react native metro dev server reportedly exploited in

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-02-03 14:00 UTCUpdated 2026-02-03 19:01 UTC
rss
cveexploitation_in_the_wildrcesupply_chainnpmreact_native
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (3)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (3 domains)domains are deduped. counts indicate coverage, not truth.
3 top sources shown
View all evidence
Overview

Security reporting converged on active exploitation of a critical remote code execution flaw in React Native’s Metro Development Server, tracked as CVE-2025-11953 and nicknamed “Metro4Shell.” Coverage describes attackers leveraging the issue in the @react-native-community/cli npm package to execute code and deliver malware, with researchers warning that public awareness and response have lagged despite in-the-wild activity.

Entities
VulnCheckReact NativeMetro Development Server@react-native-community/clinpm
Score total
1.29
Momentum 24h
3
Posts
3
Origins
3
Source types
1
Duplicate ratio
0%
Why now
  • Outlets report active exploitation and malware delivery tied to Metro dev server
  • CVE-2025-11953 (“Metro4Shell”) is being highlighted as critical severity
  • Researchers are calling attention to insufficient public acknowledgement
Why it matters
  • In-the-wild RCE in a widely used dev tool can enable rapid malware delivery
  • npm/CLI exposure can turn developer environments into an attack path
  • Reports suggest awareness/acknowledgement may lag active exploitation
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
  • Threat actors are exploiting CVE-2025-11953 (“Metro4Shell”) in React Native’s Metro Development Server / @react-native-community/cli in the wild.
  • Reported exploitation has been used to deliver malware affecting Windows and Linux systems.
How sources frame it
  • The Hacker News: neutral
  • SecurityWeek: neutral
  • The Register: questioning
Three outlets report active exploitation of a critical React Native Metro dev server flaw (CVE-2025-11953 / “Metro4Shell”) used to deliver malware.
All evidence
All evidence
Critical React Native Metro dev server bug under attack as researchers scream into the void
theregister_security · go.theregister.com · 2026-02-03 19:01 UTC
Critical React Native Vulnerability Exploited in the Wild
SecurityWeek · securityweek.com · 2026-02-03 14:00 UTC
Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package
thehackernews · thehackernews.com · 2026-02-03 14:00 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 3Origin domains: 3Duplicates: -
Showing 3 / 0
Top publishers (this list)
  • theregister_security (1)
  • SecurityWeek (1)
  • thehackernews (1)
Top origin domains (this list)
  • go.theregister.com (1)
  • securityweek.com (1)
  • thehackernews.com (1)