16 React Native Packages with Millions of Downloads Compromised Overnight

Cybersecurity researchers have uncovered a large-scale attack targeting the npm ecosystem, compromising 16 popular React Native packages with a combined download count exceeding one million per week.

The attack, detected on June 6th, 2025, represents a significant escalation in the ongoing campaign by a sophisticated threat actor, previously linked to the compromise of the rand-user-agent package.

This latest breach, which unfolded over mere hours, has injected malicious payloads into widely used libraries, posing an immediate risk to developers and organizations relying on these dependencies.

A Massive Supply Chain Attack Unfolds

The attack began at 21:33 PM GMT on June 6th, with the release of version 0.2.10 of @react-native-aria/focus.

Within hours, the attacker systematically updated 15 additional packages, including @react-native-aria/utils, @react-native-aria/interactions, and @gluestack-ui/utils, embedding malicious code in each.

The payload, hidden through whitespace-based obfuscation in files like lib/commonjs/index.js, mirrors the Remote Access Trojan (RAT) seen in prior incidents.

Once executed, it establishes communication with command-and-control (C2) servers, harvests system metadata, and enables file uploads, command execution, and reconnaissance activities.

Notably, the malware attempts persistence on Windows systems via a deceptive path in %LOCALAPPDATA%ProgramsPythonPython3127, a clear sign of compromise.

Malicious Payloads

This campaign introduces new C2 servers, such as http://85.239.62[.]36:3306, alongside updated RAT commands like ss_info for system profiling and ss_ip for fetching public IP data via external APIs, showcasing the attacker’s evolving tactics.

The scale of this attack cannot be overstated. With each compromised package version meticulously documented ranging from @react-native-aria/button (v0.2.11) to @react-native-aria/slider (v0.2.13)` the attacker has targeted critical UI components integral to countless mobile applications.

According to Aikido Report, the rapid succession of updates, spanning from June 6th to June 7th, suggests a well-coordinated operation aimed at maximizing reach before detection.

Developers who have installed these versions are urged to audit their environments urgently, as the RAT could facilitate deeper intrusions or data exfiltration.

Firewall logs should be inspected for connections to the identified malicious IPs, and any presence of suspicious files in the aforementioned Python directory warrants immediate isolation of affected systems.

This incident underscores the fragility of open-source supply chains, where trust in dependencies can be weaponized at scale.

As the situation remains fluid, with potential for additional compromises, the cybersecurity community is on high alert.

Organizations must prioritize dependency scanning, enforce version pinning, and adopt robust monitoring to mitigate such risks. Below is a table of Indicators of Compromise (IoCs) to aid in identifying and responding to this ongoing threat.

Indicators of Compromise (IoCs)

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here