Over 950K weekly downloads at risk in ongoing supply chain attack on Gluestack packages

Pierluigi Paganini
June 08, 2025

A supply chain attack hit NPM, threat actors compromised 16 popular Gluestack packages, affecting 950K+ weekly downloads.

Researchers from Aikido Security discovered a new supply chain attack targeted NPM, compromising 16 popular Gluestack ‘react-native-aria’ packages with over 950K weekly downloads.

🚨 Our Malware Intelligence team has detected an active and on-going attack against packages on npm against the @react-native-aria/ scope.

Combined, the 13 affected packages have more than 650.000 downloads per week each.

— Aikido Security (@AikidoSecurity) June 7, 2025

The attack began on June 6 at 4:33 PM EST with a malicious update to the react-native-aria/focus package. Attackers injected a malicious code with remote access trojan (RAT) capabilities. Since then, threat actors have tampered with 16 of 20 packages, continuing to publish malicious updates.

Threat actors injected the malicious code into the lib/index.js file of the compromised packages.

The cybersecurity firm listed the compromised packages in theirs Malware feed: https://intel.aikido.dev/?tab=malware. The researchers warn that the attack is still ongoing and urge users to stay tuned for updates.

Threat actors injected the malicious code into the lib/index.js file for the following packages:

BleepingComputer confirmed that the compromised packages have approximately 960,000 weekly downloads.

Aikido Security researchers believe the threat actor behind this supply chain attack is the same they have spotted recently while analyzing a suspicious code in the file dist/index.js of the the package `rand-user-agent`.

“On 5 May, 16:00 GMT+0, our automated malware analysis pipeline detected a suspicious package released, [email protected]. It detected unusual code in the package, and it wasn’t wrong. It detected signs of a supply chain attack against this legitimate package, which has about ~45.000 weekly downloads.” wrote the experts. “The payload is quite obfuscated, using multiple layers of obfuscation to hide.” “We’ve got a RAT (Remote Access Trojan) on our hands.”

The attack is by the same threat actors we’ve documented recently, deploying the same tactics and backdoor. You can find the details of it here from our previous reporting:https://t.co/DbQK4MYUGM

— Aikido Security (@AikidoSecurity) June 7, 2025

Aikido Security attempted to notify Gluestack about the ongoing supply chain attack, but has yet to receive a response.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NPM)

Trending Now

PODCAST: Lee Kagan & Beau Bullock talk C2

Attackers exploit a new zero-day to hijack Fortinet firewalls

WEBCAST: Raising Hacker Kids – Black Hills Information Security, Inc.

Over 950K weekly downloads at risk in ongoing supply chain attack on Gluestack packages

Experts found 4 billion user records online, the largest known leak of Chinese personal data from a single source

Russia-linked threat actors targets Ukraine with PathWiper wiper

Attackers exploit Fortinet flaws to deploy Qilin ransomware

Latest Posts

This Week in Crypto Games: Bonk ‘Kill-to-Earn’ Solana Launch, ‘FIFA Rivals’ Nears Release

From Quarterbacks to CxOs: Why We All Need a Coach

WEBCAST: RITA – Black Hills Information Security, Inc.

Popular Posts

This Week in Crypto Games: Bonk ‘Kill-to-Earn’ Solana Launch, ‘FIFA Rivals’ Nears Release

The Future of AI and ML in Cybersecurity: What\’s Next?

AI and ML in Cybersecurity: Exploring the Emerging Trends and Future Directions

Trending Now

Over 950K weekly downloads at risk in ongoing supply chain attack on Gluestack packages

Over 950K weekly downloads at risk in ongoing supply chain attack on Gluestack packages

A supply chain attack hit NPM, threat actors compromised 16 popular Gluestack packages, affecting 950K+ weekly downloads.

Related Posts