SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Malware
#
Firewalls
#
Network Security

Malware hits 16 React Native npm packages, 1m downloads at risk

Yesterday
Author image
By Sean Mitchell, Publisher

Aikido Security has identified an active supply chain attack affecting 16 React Native packages available on the npm registry, with an estimated 1 million weekly downloads collectively at risk.

The attack was traced to the same threat actor responsible for the previous rand-user-agent compromise, with the campaign expanding to target widely used React Native components utilised by major enterprises adopting JavaScript technologies. The compromise began on the evening of 6 June 2025, starting with the package @react-native-aria/focus, which alone has 100,000 weekly downloads.

According to a timeline provided by Aikido Security, the attack unfolded in several phases. At 21:43 GMT+0 on 6 June, the attackers breached @react-native-aria/focus (version 0.2.10). In the following hours, eight more packages were compromised between 00:37 and 00:48 on 7 June. Further intrusions were detected between 14:28 and 14:46 GMT+0 the same day, affecting an additional seven packages, including @gluestack-ui/utils. By 01:22 on 8 June, all compromised packages had been marked as deprecated by their respective maintainers.

In total, the packages affected receive roughly 1 million downloads per week from developers and businesses worldwide. This scale of impact highlights the severity of the incident, raising significant concerns across the software supply chain community.

The malware delivered through these compromised packages is a Remote Access Trojan (RAT) equipped to execute arbitrary shell commands on infected machines, upload and download files, and maintain persistence on Windows environments via the %LOCALAPPDATA%\Programs\Python\Python3127 folder. The RAT communicates with command-and-control servers at 136.0.9[.]8 and 85.239.62[.]36, allowing attackers ongoing access to compromised systems.

Technical analysis by Aikido Security has revealed the use of whitespace-based obfuscation techniques in the malicious code, designed to conceal its presence in standard code editors by pushing harmful scripts off-screen. The persistence mechanism is a critical aspect of the attack, enabling the malware to remain on systems even when maintainers push package updates intended to resolve security vulnerabilities.

Charlie Eriksen, Malware Researcher at Aikido Security, commented on the incident: "It's concerning to see that this threat actor has been able to compromise several significant packages on npm in just a matter of weeks. The compromised packages are very popular and are used by many big enterprises, according to our data. The reach and scale of this breach is hard to understate."

He further emphasised the urgency of the issue: "There's a lot to be said about this story, but given the magnitude of the attack, we wanted to raise awareness about it as quickly as possible, so that people can protect themselves. These attackers have consistently demonstrated the ability to compromise packages, deploying their remote access trojans (RATs)."

Eriksen also addressed the timing of the compromise, stating: "On one hand, the fact this occurred on a Friday evening after business hours in most of the world is unfortunate. However, it also decreases the impact, as most people are enjoying the weekend. In situations like this, time to remediation is crucial."

The attackers' ability to retain persistence even after package updates has serious implications, facilitating various attack paths, including illicit cryptocurrency mining, denial-of-service activities, theft of credentials and sensitive data, and potential lateral movement through affected organisations' networks.

The full list of affected packages comprises: @react-native-aria/focus (0.2.10), @react-native-aria/utils (0.2.13), @react-native-aria/overlays (0.3.16), @react-native-aria/interactions (0.2.17), @react-native-aria/toggle (0.2.12), @react-native-aria/switch (0.2.5), @react-native-aria/checkbox (0.2.11), @react-native-aria/radio (0.2.14), @react-native-aria/button (0.2.11), @react-native-aria/menu (0.2.16), @react-native-aria/listbox (0.2.10), @react-native-aria/tabs (0.2.14), @react-native-aria/combobox (0.2.8), @react-native-aria/disclosure (0.2.9), @react-native-aria/slider (0.2.13), @react-native-aria/separator (0.2.7), and @gluestack-ui/utils (0.1.16, 0.1.17).

In light of the breach, Aikido Security recommends that organisations immediately take several steps if they utilise any of the affected package versions. First, they are advised to check firewall logs for connections attempting to reach the specified command-and-control servers. Second, administrators should inspect systems for persistence files in the Python installation directory on Windows. Third, Aikido suggests treating all systems with these packages as potentially compromised and taking appropriate steps such as credential rotation and auditing of access controls.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Claroty adds business-centred risk tools to xDome platform
Cloud security gaps widen as AI threats outpace defences
Portnox & CrowdStrike team up for real-time access control
Bitdefender unveils GravityZone tool for easier compliance
AI accelerates ransomware threat as attacks surge globally
Top stories
Global survey finds gaps leave cloud security dangerously exposed
Healthcare faces surge in cyberattacks & AI-driven threats
Cobalt unveils platform updates to streamline pentesting workflows
Too many cloud security tools harming incident response times - survey
N-able launches free global UEM certification for IT staff