Full Report
Cybersecurity researchers have flagged a supply chain attack targeting over a dozen packages associated with GlueStack to deliver malware. The malware, introduced via a change to "lib/commonjs/index.js," allows an attacker to run shell commands, take screenshots, and upload files to infected machines, Aikido Security told The Hacker News, stating these packages collectively account for nearly 1
Analysis Summary
This summary synthesizes information derived from multiple related supply chain compromise incidents detailed in the provided context.
# Tool/Technique: GlueStack Ecosystem Malware (Supply Chain Injection)
## Overview
Malware injected into over a dozen packages within the `@gluestack-ui` and `@react-native-aria` ecosystems on npm, likely via compromise of the GlueStack repository or maintainer accounts. The primary goal appears to be establishing remote access for follow-on activities such as cryptocurrency mining, data theft, or service disruption.
## Technical Details
- Type: Malware (Remote Access Trojan functionality)
- Platform: JavaScript/Node.js (npm packages affecting React Native/web development environments)
- Capabilities: Remote command execution, screen capture, file upload, system information harvesting, public IP retrieval.
- First Seen: June 6, 2025 (First package compromise detected).
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- TA0005 - Defense Evasion
- T1218 - Signed Binary Proxy Execution (Implied by executing compromised code in development environment)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Remote Command Execution:** Allows the attacker to run arbitrary shell commands on the compromised host.
- **File System Interaction:** Capability to upload files from the infected machine.
- **Reconnaissance:** Capture system screenshots (`take screenshots`).
### Advanced Features
- **Updated RAT Functionality:** Contains commands for harvesting system information (`ss_info`) and retrieving the host's public IP address (`ss_ip`).
- **Persistence Concern:** Attackers allegedly maintain access even after package maintainers update the legitimate dependencies, suggesting a persistence mechanism beyond the initial package code (e.g., modification of local project files or persistent shell execution).
## Indicators of Compromise
- File Hashes: [N/A in context]
- File Names: Malicious code injected into `lib/commonjs/index.js` within the libraries.
- Registry Keys: [N/A in context]
- Network Indicators: [C2 mechanism not explicitly detailed for this specific malware variant, but implies outbound communication for command relay and exfiltration.]
- Behavioral Indicators: Execution of shell commands originating from dependency routines; unauthorized network connections initiated by development processes.
## Associated Threat Actors
- Unknown, but similarity to the threat actor behind the `rand-user-agent` compromise suggests potential reuse of actor infrastructure or TTPs.
## Detection Methods
- Signature-based detection: Detecting the specific malicious code injection across the referenced package versions.
- Behavioral detection: Monitoring scripts executed during package installation or runtime that attempt to spawn shells, capture screens, or make unexpected outbound connections.
- YARA rules: [N/A in context]
## Mitigation Strategies
- **Rollback:** Users must roll back to safe, pre-compromise versions of the affected `@gluestack-ui` and `@react-native-aria` packages.
- **Access Control:** Project maintainers revoked the compromised access token.
- **Dependency Auditing:** Scrutinize code injected during dependency installation (especially from `postinstall` or initial execution scripts).
## Related Tools/Techniques
- Malware delivered via the compromised `rand-user-agent` npm package (shares similar RAT characteristics).
***
# Tool/Technique: express-api-sync (Wiper Malware)
## Overview
A malicious npm package designed to act as a destructive wiper. It remains dormant until it receives an HTTP request containing a hard-coded trigger key, at which point it recursively deletes all files in the current working directory.
## Technical Details
- Type: Malware (Wiper/Destructive Payload)
- Platform: Node.js/npm
- Capabilities: Remote trigger execution of file deletion commands (`rm -rf *`).
- First Seen: Prior to the context date (was taken down).
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution (Implied if integrated into a running service)
- TA0004 - Privilege Escalation (If run with elevated permissions, necessary for full system wipe)
- TA0001 - Initial Access (Supply Chain compromise via npm)
## Functionality
### Core Capabilities
- **Triggered Execution:** Only executes deletion commands upon receiving an HTTP request containing the key "DEFAULT_123."
- **Wiping:** Executes the Unix command `rm -rf *` to destroy all files and subdirectories in the execution context.
### Advanced Features
- [N/A - Primarily a blunt instrument.]
## Indicators of Compromise
- File Hashes: [N/A in context]
- File Names: `express-api-sync`
- Registry Keys: [N/A in context]
- Network Indicators: Dependency on receiving an initial HTTP request for activation.
- Behavioral Indicators: Execution of `rm -rf *` commands post-activation.
## Associated Threat Actors
- Unknown. Published by user account "botsailer" (email: anupm019@gmail[.]com).
## Detection Methods
- Behavioral detection: Monitoring for file deletion commands (`rm -rf *`) executed by application processes that typically do not perform such actions.
- Signature-based detection: Identifying the specific trigger key "DEFAULT_123" within application logic post-installation.
## Mitigation Strategies
- **Package Removal:** Deleting the package from the project dependencies.
- **Source Integrity:** Verifying package authors and vetting packages before installation.
## Related Tools/Techniques
- `system-health-sync-api` (Similar wiper/information stealer from the same publisher).
***
# Tool/Technique: system-health-sync-api (Wiper/Information Stealer)
## Overview
A sophisticated supply chain malware package that functions as both an information stealer and a wiper. It employs platform-specific deletion commands and uses SMTP email as a covert channel for data exfiltration.
## Technical Details
- Type: Malware (Wiper / Information Stealer / RAT hybrid)
- Platform: Node.js/npm (Affects applications running on Windows or Linux)
- Capabilities: Remote system wiping (Windows/Linux specific), system information gathering, data exfiltration via covert SMTP channel.
- First Seen: Prior to the context date (was taken down).
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1048 - Exfiltration Over Alternative Protocol
- T1048.003 - Exfiltration Over Unencrypted Non-C2 Channel (SMTP)
- TA0007 - Credential Access
- T1552 - Unsecured Credentials
- TA0003 - Persistence (Resisters multiple endpoints)
## Functionality
### Core Capabilities
- **Platform-Aware Wiping:** Executes `rd /s /q .` on Windows and `rm -rf *` on Linux to wipe the current directory.
- **Endpoint Backdoors:** Registers endpoints `/_/system/health` and `/_/sys/maintenance` to execute deletion commands.
### Advanced Features
- **Covert Exfiltration via SMTP:** Exfiltrates data, including backend URLs and environment details, by sending emails to the attacker (anupm019@gmail[.]com) using hardcoded, Base64-obfuscated SMTP credentials targeting the domain `auth@corehomes[.]in`.
- **Obfuscation:** The SMTP password utilizes Base64 encoding.
## Indicators of Compromise
- File Hashes: [N/A in context]
- File Names: `system-health-sync-api`
- Registry Keys: [N/A in context]
- Network Indicators: Outbound connections attempting to use SMTP protocol to connect to mail servers associated with the domain `corehomes[.]in`.
- Behavioral Indicators: Attempted execution of disk-wiping commands (`rd /s /q .` or `rm -rf *`); unexpected outbound email traffic originating from application logic.
## Associated Threat Actors
- Unknown. Published by user account "botsailer" (email: anupm019@gmail[.]com).
## Detection Methods
- Behavioral detection: Monitoring outbound SMTP connections from application processes when no legitimate email functionality is expected.
- Network Monitoring: Detecting attempts to communicate with SMTP servers associated with the suspicious email domain.
## Mitigation Strategies
- **Firewall Rules:** While email traffic is often allowed outbound, specific monitoring or restriction on application processes initiating SMTP connections can be effective.
- **Dependency Vetting:** Strict process for reviewing package functionality before integrating dependencies published by new or unknown accounts.
## Related Tools/Techniques
- `express-api-sync` (Shared publisher and destructive intent).
***
# Tool/Technique: imad213 Collection (PyPI Credential Harvester)
## Overview
A collection of malicious Python libraries published on PyPI by user IMAD-213, primarily designed to harvest social media and email credentials (Facebook, Gmail, Twitter, VK) and use these credentials for follow-on activities, including boosting bot engagement.
## Technical Details
- Type: Malware (Credential Harvester/Botnet loader)
- Platform: Python
- Capabilities: Credential harvesting (social media/email), connection to external control file for kill switch evaluation, distribution of stolen credentials across bot service networks.
- First Seen: Packages uploaded around March/June 2025.
## MITRE ATT&CK Mapping
- TA0007 - Credential Access
- T1003 - OS Credential Dumping (Implied by credential harvesting)
- T1555 - Credentials from Password Stores
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- TA0011 - Command and Control
- T1105 - Ingress Tool Transfer (Implied if subsequent malware is downloaded)
## Functionality
### Core Capabilities
- **Credential Prompting:** Explicitly prompts users to enter Instagram credentials.
- **Local Storage & Exfiltration:** Saves credentials locally to `credentials.txt` before broadcasting them.
- **Kill Switch:** Execution is conditional; it proceeds only if the content of an external file (`pass.txt`) matches the string "imad213."
### Advanced Features
- **Credential Laundering:** Stolen credentials are sent to ten different dubious bot service websites, obscuring the origin trail.
- **Deceptive Security:** GitHub documentation attempts to trick users into providing valid credentials by suggesting they use a "fake or temporary" Instagram account.
- **DDoS Component:** The package `poppo213` leverages Apache Bench to conduct denial-of-service attacks against streaming platforms and APIs.
## Indicators of Compromise
- File Hashes: [N/A in context]
- File Names: `imad213`, `taya`, `a-b27`, `poppo213` (PyPI package names).
- Registry Keys: [N/A in context]
- Network Indicators: Exfiltration directed towards ten bot service websites linked to Turkish Instagram growth tools; connection to external control server to fetch `pass.txt`.
- Behavioral Indicators: Installation of packages involving credential input prompts; network activity directed toward unknown or suspicious bot services.
## Associated Threat Actors
- IMAD-213 (aka IMAD-213) (PyPI user who joined March 21, 2025).
## Detection Methods
- Behavioral detection: Monitoring for Python applications reading and sending user input (credentials) to external, unauthorized destinations, especially those related to social media APIs or bot services.
- Signature-based detection: Detecting string references to known bot services or the specific kill switch string "imad213."
## Mitigation Strategies
- **Credential Input Monitoring:** Review client-side code for functions that prompt for sensitive credentials outside of established secure authentication flows.
- **Endpoint Control:** Strict egress filtering for applications handling sensitive data, limiting connections to known credential laundering endpoints.
## Related Tools/Techniques
- `taya`, `a-b27`, `poppo213` (Other related packages by the same author).