https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem
Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting over a dozen packages associated with GlueStack, delivering malware to developers worldwide. The malicious code, which was introduced through modifications to the “lib/commonjs/index.js” file, grants attackers the ability to execute shell commands, capture screenshots, and upload files from infected systems. These compromised packages collectively account for nearly one million weekly downloads, representing a significant threat to the global software development community.
The attack was first detected on June 6, 2025, at 9:33 p.m. GMT, affecting seventeen different packages within the React Native Aria ecosystem. The malware bears striking similarities to a remote access trojan discovered in another compromised npm package called “rand-user-agent” last month, suggesting the same threat actors may be orchestrating multiple supply chain campaigns. The trojan includes enhanced capabilities for harvesting system information and identifying public IP addresses of infected hosts, demonstrating an evolution in the attackers’ techniques.
Concurrent with this discovery, security researchers identified additional malicious packages on both npm and PyPI repositories. Two rogue npm packages masquerading as legitimate utilities were found to contain wipers capable of deleting entire application directories, while a Python package disguised as an Instagram growth tool was harvesting user credentials and distributing them across ten different bot services. The npm packages used sophisticated techniques including email-based covert communication channels and platform-specific destruction commands, while the Python malware implemented remote kill switches and Base64 encoding to evade detection.
Project maintainers have responded by revoking compromised access tokens and marking affected versions as deprecated, but the incident highlights the persistent nature of these attacks. Security experts warn that attackers maintain access to infected machines even after packages are updated, emphasizing the massive scale of potential impact. The emergence of these destructive packages represents a concerning shift from traditional financially motivated attacks toward system sabotage, marking a new chapter in supply chain security threats that could affect millions of developers and organizations worldwide.