Cybersecurity researchers have uncovered a supply chain attack that has compromised over a dozen packages associated with GlueStack, potentially affecting nearly one million weekly downloads. The attack, first detected on June 6, 2025, involves the unauthorized insertion of malware into packages such as @gluestack-ui/utils and @react-native-aria/button, enabling threat actors to execute shell commands, upload files, and take screenshots on infected machines. This alarming incident has raised concerns about the scale and impact of such vulnerabilities in widely used software libraries.
Aikido Security, the firm that reported the breach, noted that the attack could lead to various malicious activities, including the theft of sensitive information and the mining of cryptocurrency. All affected packages have been marked as deprecated, and their access tokens have been revoked. Users who downloaded the compromised versions are advised to roll back to safe versions to mitigate potential threats.
The malicious code incorporated into these packages bears similarities to a remote access trojan linked to a prior incident involving the rand-user-agent npm package. This suggests that the same threat actors may be behind both incidents, underscoring a sophisticated and potentially widespread campaign against the npm ecosystem.
Experts warn that the persistence mechanism of the malware ensures that attackers maintain access to infected systems even after updates to the packages are made. This resilience adds to the risks posed by such attacks, as it allows for continual exploitation of affected systems, indicating a disturbing trend in software supply chain compromises.