Explore the Latest in Tech Innovations

Discover More
Close
AI
Data
Security
Computing
Application Modernization
Name

Major Supply Chain Attack Compromises Popular NPM Packages: Over 1 Million Weekly Downloads Affected

Jun 11, 2025 | App Modernization, Cloud, Fresh Ink, Mobile, Security

A sophisticated supply chain attack has targeted 17 popular Gluestack NPM packages, potentially exposing millions of developers and applications to malicious code.

The cybersecurity community is grappling with yet another significant supply chain attack, this time targeting the Node Package Manager (NPM) ecosystem. 17 popular Gluestack ‘@react-native-aria’ packages with over 1 million downloads were compromised to include malicious code that acts as a remote access trojan (RAT).

The Scope of the Attack

The compromise began on June 6 at 4:33 PM EST, when a new version of the @react-native-aria/focus package was published to NPM. What started as a single compromised package quickly escalated into a widespread attack affecting multiple components of the Gluestack ecosystem.

The attack’s impact is substantial, with affected packages including:

  • @react-native-aria/interactions (125,000 weekly downloads)
  • @react-native-aria/utils (120,000 weekly downloads)
  • @react-native-aria/focus (100,000 weekly downloads)
  • @react-native-aria/overlays (96,000 weekly downloads)
  • @react-native-aria/checkbox (81,000 weekly downloads)

Combined, these packages are very popular, with approximately 1,020,000 weekly downloads, making this a massive supply chain attack that could have widespread consequences.

Discovery and Analysis

The supply chain attack was discovered by cybersecurity firm Aikido Security, who discovered obfuscated code injected into the lib/index.js file of the affected packages. The malicious code was strategically placed to avoid detection, with the malicious code heavily obfuscated and appended to the last line of source code in the file, padded with many spaces, so it’s not easily spotted when using the code viewer on the NPM site.

The Malware’s Capabilities

The injected malware functions as a sophisticated remote access trojan with extensive capabilities. The remote access trojan will connect to the attackers’ command and control server and receive commands to execute, including:

Directory and File Operations:

  • Change current working directory
  • Reset directory to script’s path
  • Force directory changes
  • Upload individual files or entire directories

System Compromise:

  • Execute arbitrary shell commands
  • Interrupt ongoing processes
  • Perform Windows PATH hijacking

Particularly concerning is the malware’s ability to manipulate system environments. The trojan also performs Windows PATH hijacking by prepending a fake Python path (%LOCALAPPDATA%\Programs\Python\Python3127) to the PATH environment variable, allowing the malware to silently override legitimate python or pip commands to execute malicious binaries.

Response and Mitigation Efforts

The response to this attack has been challenging due to timing and communication barriers. Aikido security researcher Charlie Eriksen has attempted to contact Gluestack about the compromise by creating GitHub issues on each of the project’s repositories, but there has not been any response at this time.

The timing of the attack appears deliberate, with researchers noting that “it’s morning on a saturday in the US which is prob exactly why its happening now”, suggesting attackers chose a time when maintainers would be less likely to respond quickly.

Update: GlueStack has now revoked an access token that was used to publish the compromised packages and they are now marked as deprecated on NPM. However, complete remediation remains challenging because “unpublishing the compromised version wasn’t possible due to dependent packages”.

Broader Campaign Context

This attack appears to be part of a larger, coordinated campaign. Aikido also attributes this attack to the same threat actors who compromised four other NPM packages earlier this week named biatec-avm-gas-station, cputil-node, lfwfinance/sdk, and lfwfinance/sdk-dev.

The similarity in tactics and code suggests a well-organized threat actor group with specific expertise in NPM supply chain attacks.

Implications for IT Teams

This incident underscores several critical security considerations for IT teams:

Dependency Management: Organizations must implement robust dependency scanning and management processes. The widespread use of these packages means that many applications may be unknowingly compromised.

Supply Chain Security: Traditional security measures focusing on perimeter defense are insufficient against supply chain attacks. Security must be integrated throughout the development lifecycle.

Incident Response: The delayed response to this attack highlights the importance of having clear communication channels and rapid response procedures for security incidents.

Monitoring and Detection: Organizations should implement continuous monitoring of their software supply chains and maintain updated inventories of all dependencies.

Best Practices Moving Forward

To protect against similar attacks, IT teams should:

  1. Implement Dependency Scanning: Use automated tools to scan for known vulnerabilities and suspicious code in dependencies
  2. Pin Package Versions: Avoid automatic updates and carefully review changes before updating dependencies
  3. Use Private Registries: Consider using private package registries for critical applications
  4. Regular Security Audits: Conduct regular security audits of the entire software supply chain
  5. Incident Response Planning: Develop and test incident response procedures specifically for supply chain compromises

Conclusion

The Gluestack NPM supply chain attack represents a significant escalation in the sophistication and scale of attacks targeting software development ecosystems. With over one million weekly downloads affected, this incident demonstrates how a single compromised token can have far-reaching consequences across the entire development community.

Organizations must recognize that supply chain security is not just a developer concern but a critical business risk that requires enterprise-wide attention and resources. The rapid response and community collaboration seen in addressing this attack also highlight the importance of maintaining strong security communities and communication channels.

As supply chain attacks continue to evolve in complexity and impact, the security community must remain vigilant and continue to develop both technical solutions and procedural safeguards to protect the software ecosystem that underpins modern digital infrastructure.

This analysis is based on reporting from cybersecurity firm Aikido Security and ongoing investigation into the compromise. Organizations using affected packages should immediately review their dependencies and implement appropriate security measures.

How new data privacy laws will impact you

How new data privacy laws will impact you

,

The 2025 Data Privacy Crisis: 8 New Laws Create Compliance Emergency
January 2025 brought unprecedented privacy upheaval as eight new state laws activated simultaneously, affecting businesses nationwide. With non-compliance costs averaging $14.82 million and 94% of consumers refusing to buy from companies that mishandle data, the stakes have never been higher. From mandatory universal opt-out mechanisms to AI governance challenges, organizations face a regulatory maze that could trigger automatic violations. Tennessee, Minnesota, and Maryland follow with even stricter requirements mid-year. Discover critical compliance strategies, technical implementation requirements, and personal VPN protection benefits to navigate 2025’s most complex privacy landscape and avoid costly penalties.

read more
Share This