A supply chain attack hit NPM, threat actors compromised 16 popular Gluestack packages, affecting 950K+ weekly downloads.————————————————————————————————————————-Researchers from [Aikido Security](https://www.aikido.dev/) discovered a new supply chain attack targeted NPM, compromising 16 popular Gluestack ‘react-native-aria’ packages with over 950K weekly downloads.> :rotating_light: Our Malware Intelligence team has detected an active and on-going attack against packages on npm against the [@react](https://twitter.com/react?ref_src=twsrc%5Etfw)-native-aria/ scope. >>> Combined, the 13 affected packages have more than 650.000 downloads per week each.> — Aikido Security (@AikidoSecurity) [June 7, 2025](https://twitter.com/AikidoSecurity/status/1931363764382663042?ref_src=twsrc%5Etfw)The attack began on June 6 at 4:33 PM EST with a malicious update to the *react-native-aria/focus* package. Attackers injected a malicious code with remote access trojan (RAT) capabilities. Since then, [threat actors have tampered with 16 of 20 packages](https://intel.aikido.dev/?tab=malware), continuing to publish malicious updates.Threat actors injected the malicious code into the `lib/index.js` file of the compromised packages.The cybersecurity firm listed the compromised packages in theirs Malware feed: [https://intel.aikido.dev/?tab=malware](https://t.co/Tza5iGPJFv). The researchers warn that the attack is still ongoing and urge users to stay tuned for updates.Threat actors injected the malicious code into the `lib/index.js` file for the following packages:BleepingComputer [confirmed](https://www.bleepingcomputer.com/news/security/supply-chain-attack-hits-gluestack-npm-packages-with-960k-weekly-downloads/) that the compromised packages have approximately 960,000 weekly downloads.Aikido Security researchers believe the threat actor behind this supply chain attack is the same they have spotted recently while analyzing a suspicious code in the file dist/index.js of the the package -`rand-user-agent-`.*’On 5 May, 16:00 GMT+0, our automated malware analysis pipeline detected a suspicious package released, `rand-user-agent@1.0.110`. It detected unusual code in the package, and it wasn’t wrong. It detected signs of a supply chain attack against this legitimate package, which has about -~45.000 weekly downloads.’ [wrote](https://www.aikido.dev/blog/catching-a-rat-remote-access-trojian-rand-user-agent-supply-chain-compromise)the experts. ‘The payload is quite obfuscated, using multiple layers of obfuscation to hide.’ ‘We’ve got a RAT (Remote Access Trojan) on our hands.’*> The attack is by the same threat actors we’ve documented recently, deploying the same tactics and backdoor. You can find the details of it here from our previous reporting:> — Aikido Security (@AikidoSecurity) [June 7, 2025](https://twitter.com/AikidoSecurity/status/1931363892409639078?ref_src=twsrc%5Etfw)Aikido Security [attempted](https://github.com/gluestack/gluestack-ui/issues/2894) to notify Gluestack about the ongoing supply chain attack, but has yet to receive a response.Follow me on Twitter: [@securityaffairs](https://twitter.com/securityaffairs) and [Facebook](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[Pierluigi Paganini](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)([SecurityAffairs](http://securityaffairs.co/wordpress/) — hacking, [NPM](https://securityaffairs.com/176530/security/malicious-npm-packages-to-steal-paypal-credentials.html))
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 51 – Information
Blog: Security Affairs
Obfuscated Files or Information
Associated Indicators:
https://intel.aikido.dev/?tab=malware.
intel.aikido.dev