Developers Beware! 16 React Native Packages With Million of Download Compromised Overnight

A sophisticated supply chain attack has compromised 16 popular React Native packages with over one million combined weekly downloads, marking a significant escalation in ongoing NPM ecosystem threats.

The attack, which began on June 6th, 2025, systematically backdoored packages within the React Native Aria ecosystem and GlueStack framework, deploying advanced remote access trojans (RATs) capable of establishing persistent system control and data exfiltration capabilities.

The attack commenced at 21:33 PM GMT on June 6th when version 0.2.10 of @react-native-aria/focus was released, marking the first compromise in what would become a coordinated overnight assault.

This initial package had not been updated since October 18th, 2023, making the sudden version release particularly suspicious to security monitoring systems.

The attackers employed sophisticated whitespace-based obfuscation techniques to hide malicious code within the lib/commonjs/index.js file, pushing the actual payload off-screen in standard code editors without word wrapping capabilities.

Following the initial compromise, the threat actors systematically targeted additional packages throughout the night and into the following day, compromising popular libraries including @react-native-aria/utils, @react-native-aria/overlays, @react-native-aria/interactions, and ultimately extending their reach to @gluestack-ui/utils.

Aikido analysts identified this as a continuation of previous attacks against the rand-user-agent package, noting the deployment of nearly identical payload structures with enhanced capabilities.

The malware represents a significant evolution from previous supply chain attacks, featuring dual command-and-control infrastructure and enhanced reconnaissance capabilities.

The attackers demonstrated remarkable persistence and coordination, completing the compromise of all 16 packages within approximately 17 hours, suggesting either automated tooling or a well-coordinated team effort.

The combined reach of these packages, serving over one million weekly downloads, provides the attackers with an unprecedented attack surface within the React Native development ecosystem.

Obfuscation and Payload Delivery Mechanisms

The attackers employed a sophisticated multi-layered approach to payload delivery, beginning with whitespace-based obfuscation that renders malicious code invisible in most development environments.

The primary payload, inserted at line 46 of the compromised index.js files, appears as innocuous whitespace but contains the following obfuscated code:-

global['_V']='8-npm13';global['r']=require; (f

This payload establishes the foundation for a comprehensive RAT deployment that utilizes the global namespace to maintain persistence and establish communication channels.

The malware immediately captures system information including platform details, hostname, username, and system architecture through Node.js built-in modules.

The attack demonstrates advanced evasion techniques by leveraging version-based C2 server selection, with the payload containing logic to choose between multiple command-and-control endpoints based on the deployment version.

The malware establishes persistence on Windows systems through the %LOCALAPPDATA%ProgramsPythonPython3127 directory, mimicking legitimate Python installations to avoid detection.

Additionally, the RAT includes enhanced reconnaissance capabilities with new commands such as ss_info for system metadata collection and ss_ip for external IP enumeration, indicating the attackers’ focus on comprehensive environmental awareness and potential lateral movement preparation.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests