Pierluigi Paganini
June 08, 2025
Researchers from Aikido Security discovered a new supply chain attack targeted NPM, compromising 16 popular Gluestack ‘react-native-aria’ packages with over 950K weekly downloads.
— Aikido Security (@AikidoSecurity) June 7, 2025
Our Malware Intelligence team has detected an active and on-going attack against packages on npm against the @react-native-aria/ scope.
Combined, the 13 affected packages have more than 650.000 downloads per week each.
The attack began on June 6 at 4:33 PM EST with a malicious update to the react-native-aria/focus package. Attackers injected a malicious code with remote access trojan (RAT) capabilities. Since then, threat actors have tampered with 16 of 20 packages, continuing to publish malicious updates.
Threat actors injected the malicious code into the lib/index.js file of the compromised packages.
The cybersecurity firm listed the compromised packages in theirs Malware feed: https://intel.aikido.dev/?tab=malware. The researchers warn that the attack is still ongoing and urge users to stay tuned for updates.
Threat actors injected the malicious code into the lib/index.js file for the following packages:
BleepingComputer confirmed that the compromised packages have approximately 960,000 weekly downloads.
Aikido Security researchers believe the threat actor behind this supply chain attack is the same they have spotted recently while analyzing a suspicious code in the file dist/index.js of the the package `rand-user-agent`.
“On 5 May, 16:00 GMT+0, our automated malware analysis pipeline detected a suspicious package released, rand-user-agent@1.0.110. It detected unusual code in the package, and it wasn’t wrong. It detected signs of a supply chain attack against this legitimate package, which has about ~45.000 weekly downloads.” wrote the experts. “The payload is quite obfuscated, using multiple layers of obfuscation to hide.” “We’ve got a RAT (Remote Access Trojan) on our hands.”
The attack is by the same threat actors we've documented recently, deploying the same tactics and backdoor. You can find the details of it here from our previous reporting:https://t.co/DbQK4MYUGM
— Aikido Security (@AikidoSecurity) June 7, 2025
Aikido Security attempted to notify Gluestack about the ongoing supply chain attack, but has yet to receive a response.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NPM)
