Summary: A critical security flaw, dubbed “Metro4Shell,” has been discovered in the Metro Development Server used within the popular “@react-native-community/cli” npm package. Threat actors are actively exploiting this RCE flaw to compromise developer workstations during the build process, allowing for the silent injection of malicious code into mobile applications.
Business Impact: High Supply-Chain Risk. If your developers use React Native, their local machines are vulnerable to a takeover. More dangerously, the apps they build and publish to the App Store or Play Store could be “backdoored” before they even leave the developer’s laptop.
Why It Happened: The Metro server implementation lacked sufficient origin-validation on certain development-only endpoints, allowing a malicious website visited by a developer to “bridge” into their local development environment.
Recommended Executive Action: Mandate an immediate audit of all internal npm registries and developer environments. Enforce an update to the latest patched version of the React Native CLI and ensure developers are not running development servers on publicly accessible network interfaces.
Hashtags: #Metro4Shell #ReactNative #SupplyChain #AppSec #npm #DeveloperSecurity