A highly sophisticated supply chain attack has compromised 16 widely used React Native
packages, collectively receiving over one million weekly downloads. This marks a major escalation in the ongoing threats within the NPM ecosystem.
The breach began on June 6, 2025, when attackers started injecting backdoors into packages within the React Native Aria and GlueStack ecosystems. These modifications deployed advanced remote access trojans (RATs), designed to enable persistent control over infected systems and facilitate data theft.
The first signs of the attack appeared at 21:33 GMT on June 6 with the release of version 0.2.10 of @react-native-aria/focus. The package had not been updated since October 2023, raising immediate red flags when a sudden update was pushed. Security systems quickly picked up the anomaly.
To conceal their activities, the attackers used whitespace-based obfuscation in the lib/commonjs/index.js file, pushing malicious code off-screen in most editors, making detection difficult without word wrapping enabled.
After breaching the initial package, the attackers continued their campaign throughout the night and into the next day, compromising other widely used libraries such as @react-native-aria/utils, @react-native-aria/overlays, @react-native-aria/interactions, and eventually @gluestack-ui/utils.
Security researchers at Aikido confirmed this incident as a follow-up to earlier compromises involving the rand-user-agent package. The new malware uses similar payload structures, but with expanded capabilities.
The attack is a significant evolution in supply chain threats. It introduces dual command-and-control (C2) infrastructures and refined data collection features. The speed and coordination shown infecting 16 packages in about 17 hours, point to either highly efficient automated tools or a well-organized team.
Given the popularity of the compromised packages, the attackers now have access to an extensive part of the React Native developer base, significantly expanding their potential impact.
Obfuscation and Payload Delivery
The attackers deployed a multi-stage strategy to deliver malware. They first used whitespace-based obfuscation to hide malicious scripts. Once executed, the payload initiated the installation of a full-featured RAT, leveraging the global namespace to maintain persistence and establish communication with the attackers.
Upon activation, the malware collected system information, including platform type, host and user names, and system architecture, using built-in Node.js modules.
The code also contained logic to select between different command-and-control servers depending on the deployment version, helping it avoid early detection.
On Windows machines, persistence was achieved by planting the malware in the %LOCALAPPDATA%\Programs\Python\Python3127 directory, mimicking legitimate Python software.
The RAT further enhanced its spying capabilities with new commands like ss_info to gather system details and ss_ip to identify the external IP address. These features suggest that the attackers may be preparing for lateral movement across networks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
