Metro4Shell Attacks: Hackers Target React Native Developers via RCE Vu
Threat actors are actively exploiting CVE-2025-11953 in React Native's Metro server to deliver malware. Learn about the Metro4Shell attacks and how to protect your development environment.
Reading on the syndication mirror. Read the live version on WormGPT V4 →
Want the real thing? uncensored AI chat — the original worm gpt download free, no filters, no logs, instant access. Pair it with the deep web research AI to ship payloads, exploits and research at machine speed.
Metro4Shell Attacks: Hackers Target React Native Developers via RCE Vulnerability
February 10, 2026
In a sophisticated campaign targeting the developer community, threat actors are actively exploiting a critical remote code execution vulnerability in React Native's Metro Development Server. Dubbed "Metro4Shell" by researchers, this attack leverages CVE-2025-11953 to deliver advanced malware payloads across Windows and Linux development systems. The vulnerability, first detected in operational exploitation by VulnCheck's Canary honeypot network on December 21, 2025, continues to see active attacks throughout January 2026, despite patch availability.
This development marks a significant escalation in attacks targeting software development infrastructure, with React Native's massive adoption—powering over 15% of the top 500 mobile apps globally—making it a particularly attractive target. The attacks demonstrate how vulnerabilities in development tools can create cascading security risks throughout the software supply chain.
Understanding the Metro4Shell Vulnerability
CVE-2025-11953 represents a critical flaw in React Native's Metro bundler, specifically affecting the development server component that developers use during application testing and debugging. The vulnerability exists in the debugger proxy functionality, which allows remote attackers to execute arbitrary code on affected systems without authentication.
Technical Details: - CVSS Score: 9.8 (Critical) - Attack Vector: Network - Complexity: Low - Privileges Required: None - User Interaction: None
The vulnerability stems from improper input validation in the WebSocket connection handler, allowing attackers to inject malicious commands that get executed with the privileges of the Metro server process. Since developers typically run Metro with elevated permissions during development, successful exploitation often results in complete system compromise.
According to VulnCheck's telemetry, the initial exploitation wave in December 2025 targeted exposed development servers on default port 8081, with attackers scanning for vulnerable instances across cloud hosting providers and corporate networks.
Attack Methodology and Malware Payloads
The Metro4Shell attacks follow a sophisticated multi-stage approach that demonstrates significant planning and technical capability:
Initial Compromise: Attackers first identify exposed Metro servers through automated scanning, then establish WebSocket connections to the vulnerable debugger endpoint. Using crafted payloads, they bypass existing security controls and gain initial code execution.
Payload Delivery: Once initial access is achieved, attackers deploy various malware families depending on the target operating system:
- **Windows Systems:** Delivery of information stealers (including new variants of Lumma and RedLine), cryptocurrency miners, and backdoor trojans
- **Linux Systems:** Deployment of cryptocurrency mining software, reverse shells, and credential harvesting tools
- **Cross-Platform:** Some payloads are designed to work across both operating systems, demonstrating advanced malware development capabilities
Persistence Mechanisms: Successful attacks establish persistence through: - Scheduled tasks and cron jobs - Registry modifications (Windows) - Systemd service installations (Linux) - Hidden directories and fileless techniques
Lateral Movement: In corporate environments, compromised developer workstations serve as jumping-off points for lateral movement, with attackers using stolen credentials and development tools to access source code repositories, CI/CD pipelines, and production infrastructure.
Impact on the Development Ecosystem
The Metro4Shell attacks have far-reaching implications for software development security:
Supply Chain Risks: Compromised developer machines can lead to infected applications being distributed to end users. With React Native's widespread use in enterprise and consumer applications, the potential for supply chain contamination is significant.
Intellectual Property Theft: Attackers specifically target source code, API keys, and proprietary algorithms stored on developer workstations. Security firms have reported incidents where entire codebases were exfiltrated from compromised systems.
Development Environment Compromise: Beyond immediate malware installation, attackers modify development tools and dependencies to maintain long-term access. Some attacks have been observed injecting malicious code into node_modules directories, creating persistent backdoors that survive project cleanups.
Statistics from Recent Attacks: - Over 2,500 unique IPs observed scanning for vulnerable Metro servers - 47% of compromised systems were corporate developer workstations - Average dwell time before detection: 14 days - 78% of attacks occurred outside regular business hours
Mitigation and Protection Strategies
Immediate Actions: 1. Update Immediately: Ensure all React Native development environments are updated to versions patched against CVE-2025-11953 2. Network Segmentation: Restrict Metro server access to localhost only; never expose development servers to untrusted networks 3. Firewall Configuration: Block inbound connections to port 8081 (and other Metro ports) from external networks 4. Monitoring: Implement network monitoring for unusual WebSocket traffic to development ports
Long-term Security Practices: - Implement principle of least privilege for development accounts - Use isolated development environments (containers/VMs) - Regularly audit development tools and dependencies - Implement endpoint detection and response (EDR) solutions on developer workstations - Conduct regular security training for development teams
Detection Indicators: - Unusual WebSocket connections to Metro debugger endpoints - Unexpected child processes spawned from Metro server - Network connections to known malicious IPs from developer systems - Unauthorized modifications to package.json or node_modules
How WormGPT.ai Assists in Vulnerability Research
Platforms like WormGPT.ai play a crucial role in modern cybersecurity research by providing unrestricted AI tools for security analysis. In the context of vulnerabilities like Metro4Shell, researchers can leverage these tools for:
AI Vulnerability Scanner Development: Security professionals can use AI-assisted code analysis to identify similar vulnerabilities in other development tools and frameworks. The pattern recognition capabilities of advanced AI models can help uncover complex security flaws that might escape traditional static analysis.
Threat Intelligence Analysis: AI tools can process vast amounts of attack telemetry to identify emerging patterns and predict future attack vectors. For Metro4Shell-like vulnerabilities, AI can help correlate attack indicators across different security feeds.
Neural Network Attacks Simulation: Researchers can simulate attack scenarios using AI models to test defense mechanisms and understand potential exploitation paths. This proactive approach helps security teams prepare for real-world attacks.
LLM Jailbreak Research: Understanding how AI models can be manipulated helps security researchers anticipate how attackers might use similar techniques against automated security systems. This knowledge is crucial for developing robust AI-powered security solutions.
AI Cybersecurity Tool Development: The unrestricted nature of platforms like WormGPT.ai allows for the creation of specialized security tools that might be constrained in more restricted environments, enabling innovative approaches to vulnerability discovery and mitigation.
Conclusion
The Metro4Shell attacks represent a dangerous evolution in cyber threats targeting the software development lifecycle. By exploiting vulnerabilities in essential development tools like React Native's Metro server, attackers gain access to highly privileged environments with direct pathways to valuable intellectual property and software supply chains.
What makes this campaign particularly concerning is its persistence and sophistication—continuing for weeks despite patch availability and demonstrating advanced malware deployment capabilities. The attacks underscore the critical importance of securing development environments with the same rigor applied to production systems.
For development teams, the lessons are clear: development tools must be regularly updated, development servers should never be exposed to untrusted networks, and developer workstations require robust security controls. The boundary between development and production security is increasingly blurred, and vulnerabilities in one can quickly compromise the other.
As attackers continue to innovate, the cybersecurity community must leverage all available tools—including advanced AI platforms—to stay ahead of emerging threats. The Metro4Shell campaign serves as a stark reminder that in today's interconnected development ecosystems, every component in the toolchain represents a potential attack vector that requires vigilant protection.
Want the real thing? deep web research AI — the original wormgpt pricing, no filters, no logs, instant access. Pair it with the WormGPT API to ship payloads, exploits and research at machine speed.