Popular NPM packages with over a million downloads hit by malware
More than a dozen NPM packages had to be deprecated as a result

- 17 NPM packages with more than a million weekly downloads were compromised to deliver a RAT
- The attack could turn into a major supply chain attack, experts warned
- The packages were since deprecated, but users should be on their guard
More than a dozen packages on NPM were poisoned with a Remote Access Trojan (RAT), possibly infecting millions of projects.
Cybersecurity researchers Aikido Security recently discovered malicious code buried very deep in 17 popular Gluestack packages.
The packages cumulatively have more than a million downloads weekly, meaning huge amounts of users could possibly be affected, the experts warned.
Revoking access tokens
Here is the full list of compromised packages:
- @react-native-aria/button
- @react-native-aria/checkbox
- @react-native-aria/combobox
- @react-native-aria/disclosure
- @react-native-aria/focus
- @react-native-aria/interactions
- @react-native-aria/listbox
- @react-native-aria/menu
- @react-native-aria/overlays
- @react-native-aria/radio
- @react-native-aria/switch
- @react-native-aria/toggle
- @react-native-aria/utils
- @gluestack-ui/utils
- @react-native-aria/separator
- @react-native-aria/slider
- @react-native-aria/tabs
The packages deployed malicious code that connected to the attackers’ command-and-control (C2) and received additional commands including, among other things, the ability to upload a single, or multiple files.
Furthermore, the trojan can execute Windows PATH hijacking and silently override legitimate python and pip commands.
In response, Gluestack revoked an access token used to publish the compromised packages. All of the poisoned tools are marked on NPM as deprecated.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
"Unfortunately, unpublishing the compromised version wasn’t possible due to dependent packages," a GlueStack developer said on GitHub. "As a mitigation, I have deprecated the affected versions and updated the latest tag to point to a safe, older version."
The Node Package Manager (NPM) is the default package manager for the JavaScript runtime environment Node.js. It is used to install libraries, share packages with the community, manage dependencies, run scripts, and more.
As such, it is vastly popular, having millions of monthly visitors, and hundreds of thousands of registered accounts that frequently publish their packages.
Unfortunately, popular platforms attract threat actors in droves, and situations such as this one are not uncommon on NPM, or similar platforms such as GitHub or PyPi.
Via BleepingComputer
You might also like
- NPM users warned dozens of malicious packages aim to steal host and network data
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.