Over 950K weekly downloads at risk in ongoing supply chain attack on Gluestack packages

Pierluigi Paganini June 08, 2025

A supply chain attack hit NPM, threat actors compromised 16 popular Gluestack packages, affecting 950K+ weekly downloads.

Researchers from Aikido Security discovered a new supply chain attack targeted NPM, compromising 16 popular Gluestack ‘react-native-aria’ packages with over 950K weekly downloads.

Our Malware Intelligence team has detected an active and on-going attack against packages on npm against the @react-native-aria/ scope.

Combined, the 13 affected packages have more than 650.000 downloads per week each.
— Aikido Security (@AikidoSecurity) June 7, 2025

The attack began on June 6 at 4:33 PM EST with a malicious update to the react-native-aria/focus package. Attackers injected a malicious code with remote access trojan (RAT) capabilities. Since then, threat actors have tampered with 16 of 20 packages, continuing to publish malicious updates.

Threat actors injected the malicious code into the lib/index.js file of the compromised packages.

The cybersecurity firm listed the compromised packages in theirs Malware feed: https://intel.aikido.dev/?tab=malware. The researchers warn that the attack is still ongoing and urge users to stay tuned for updates.

Threat actors injected the malicious code into the lib/index.js file for the following packages:

BleepingComputer confirmed that the compromised packages have approximately 960,000 weekly downloads.

Aikido Security researchers believe the threat actor behind this supply chain attack is the same they have spotted recently while analyzing a suspicious code in the file dist/index.js of the the package `rand-user-agent`.

“On 5 May, 16:00 GMT+0, our automated malware analysis pipeline detected a suspicious package released, rand-user-agent@1.0.110. It detected unusual code in the package, and it wasn’t wrong. It detected signs of a supply chain attack against this legitimate package, which has about ~45.000 weekly downloads.” wrote the experts. “The payload is quite obfuscated, using multiple layers of obfuscation to hide.” “We’ve got a RAT (Remote Access Trojan) on our hands.”

The attack is by the same threat actors we've documented recently, deploying the same tactics and backdoor. You can find the details of it here from our previous reporting:https://t.co/DbQK4MYUGM
— Aikido Security (@AikidoSecurity) June 7, 2025

Aikido Security attempted to notify Gluestack about the ongoing supply chain attack, but has yet to receive a response.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NPM)

Pierluigi Paganini July 15, 2025

An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

Pierluigi Paganini July 14, 2025