A complicated provide chain assault has compromised 16 standard React Native packages with over a million mixed weekly downloads, marking a big escalation in ongoing NPM ecosystem threats.
The assault, which started on June sixth, 2025, systematically backdoored packages throughout the React Native Aria ecosystem and GlueStack framework, deploying superior distant entry trojans (RATs) able to establishing persistent system management and information exfiltration capabilities.
The assault commenced at 21:33 PM GMT on June sixth when model 0.2.10 of @react-native-aria/focus was launched, marking the primary compromise in what would change into a coordinated in a single day assault.
@react-native-aria (Supply – Aikido)
This preliminary bundle had not been up to date since October 18th, 2023, making the sudden model launch notably suspicious to safety monitoring techniques.
The attackers employed subtle whitespace-based obfuscation strategies to cover malicious code throughout the lib/commonjs/index.js file, pushing the precise payload off-screen in customary code editors with out phrase wrapping capabilities.
Following the preliminary compromise, the menace actors systematically focused further packages all through the evening and into the next day, compromising standard libraries together with @react-native-aria/utils, @react-native-aria/overlays, @react-native-aria/interactions, and finally extending their attain to @gluestack-ui/utils.
Aikido analysts recognized this as a continuation of earlier assaults in opposition to the rand-user-agent bundle, noting the deployment of almost equivalent payload constructions with enhanced capabilities.
The malware represents a big evolution from earlier provide chain assaults, that includes twin command-and-control infrastructure and enhanced reconnaissance capabilities.
The attackers demonstrated outstanding persistence and coordination, finishing the compromise of all 16 packages inside roughly 17 hours, suggesting both automated tooling or a well-coordinated crew effort.
The mixed attain of those packages, serving over a million weekly downloads, offers the attackers with an unprecedented assault floor throughout the React Native improvement ecosystem.
Obfuscation and Payload Supply Mechanisms
The attackers employed a classy multi-layered strategy to payload supply, starting with whitespace-based obfuscation that renders malicious code invisible in most improvement environments.
The first payload, inserted at line 46 of the compromised index.js recordsdata, seems as innocuous whitespace however comprises the next obfuscated code:-
international[‘_V’]=’8-npm13′;international[‘r’]=require; (f
This payload establishes the muse for a complete RAT deployment that makes use of the worldwide namespace to keep up persistence and set up communication channels.
The malware instantly captures system data together with platform particulars, hostname, username, and system structure via Node.js built-in modules.
The assault demonstrates superior evasion strategies by leveraging version-based C2 server choice, with the payload containing logic to decide on between a number of command-and-control endpoints primarily based on the deployment model.
The malware establishes persistence on Home windows techniques via the %LOCALAPPDATApercentProgramsPythonPython3127 listing, mimicking reliable Python installations to keep away from detection.
Moreover, the RAT consists of enhanced reconnaissance capabilities with new instructions reminiscent of ss_info for system metadata assortment and ss_ip for exterior IP enumeration, indicating the attackers’ give attention to complete environmental consciousness and potential lateral motion preparation.
Pace up and enrich menace investigations with Risk Intelligence Lookup! -> 50 trial search requests
