Full Report
A threat actor compromised 16 highly popular React Native and GlueStack packages, collectively downloaded over a million times weekly. The attackers inserted a stealthy backdoor into these packages using whitespace obfuscation to hide malicious code. The payload is a Remote Ac...
Analysis Summary
# Incident Report: Supply Chain Compromise of React Native and GlueStack Packages
## Executive Summary
A sophisticated threat actor successfully compromised 16 widely used React Native and GlueStack packages hosted on npm. Malicious code, obfuscated using whitespace, was injected into these dependencies, resulting in a supply chain attack that exposed over a million weekly downloads to a Remote Access Trojan (RAT). The incident was discovered following public research into the compromised packages, and required immediate notification and package removal to halt further distribution of the malicious code.
## Incident Details
- Discovery Date: June 7, 2025 (Date of public disclosure/analysis)
- Incident Date: Prior to June 7, 2025 (Exact initiation date unknown)
- Affected Organization: npm (Platform hosting the compromised packages)
- Sector: Software Development / Technology (Supply Chain)
- Geography: Global (Due to open-source package distribution)
## Timeline of Events
### Initial Access
- Date/Time: Unknown prior to June 7, 2025
- Vector: Supply Chain Compromise (Infecting open-source npm packages)
- Details: The attacker successfully injected malicious code into 16 specific React Native and GlueStack packages hosted on npm.
### Lateral Movement
- N/A (The attack focused on compromising downstream consumers of the infected packages, rather than moving laterally within a target network as an internal compromise).
### Data Exfiltration/Impact
- Potential for arbitrary command execution, data exfiltration, and persistent Command and Control (C2) communication on the systems of developers/users who integrated the compromised packages.
### Detection & Response
- Detection Method: Analysis by security researchers (Implied by the reference to Aikido blog).
- Response Actions: Implied removal or remediation of the compromised packages from the npm registry.
## Attack Methodology
- Initial Access: Supply Chain Compromise.
- Persistence: Established persistence mechanisms, particularly noted targeting Windows systems via the path `%LOCALAPPDATA%\Programs\Python\Python3127`.
- Privilege Escalation: Not explicitly detailed, but command execution capability suggests reliance on user execution context.
- Defense Evasion: Used **whitespace obfuscation** to hide malicious code within the package structure, avoiding simple static analysis.
- Credential Access: Not explicitly detailed, but RAT functionality implies capability for credential harvesting.
- Discovery: **`ss_info`** (system metadata collection) and **`ss_ip`** (external IP reporting) commands suggest system reconnaissance capabilities.
- Lateral Movement: N/A (Focus on initial infection vector).
- Collection: Capability to interact with C2, perform file uploads, and interact with installed dependencies like `axios` and `socket.io-client` for further communication or data gathering.
- Exfiltration: Capability for data exfiltration via C2 channels.
- Impact: Execution of arbitrary shell commands on the victim's machine.
## Impact Assessment
- Financial: Unknown (Costs associated with remediation, reputational damage for affected projects).
- Data Breach: Potential compromise of source code repositories, development environment data, and system-level information on integrated systems.
- Operational: Disruption to development workflows for any organization using the 16 compromised packages (estimated over 1 million weekly downloads).
- Reputational: Significant damage to trust in the security of the React Native/GlueStack ecosystem and the npm registry.
## Indicators of Compromise
- File Indicators: Malicious artifacts likely installed in `%LOCALAPPDATA%\Programs\Python\Python3127`.
- Behavioral Indicators: Execution of shell commands post-package installation; attempts to communicate with hardcoded external C2 servers; installation of secondary dependencies (`axios`, `socket.io-client`).
- Network Indicators (Defanged): Communication established with hardcoded C2 servers that utilized version-based switching mechanisms.
## Response Actions
- Containment: Removal or remediation of the 16 compromised packages from the npm registry (Implied).
- Eradication: Developers using the packages needed to audit environments, remove the malicious dependencies, and clean up any persistent artifacts left by the RAT.
- Recovery: Rebuilding environments using known-good versions of dependencies or alternatives.
## Lessons Learned
- Supply Chain Security: Relying on third-party package repositories introduces significant risk, especially for highly utilized dependencies.
- Obfuscation Sophistication: Threat actors actively use techniques like whitespace obfuscation to bypass standard security scanning tools.
- C2 Flexibility: Attackers demonstrated adaptability by implementing version-based C2 server switching.
## Recommendations
- Implement strict dependency pinning and use vulnerability scanning tools across all CI/CD pipelines to monitor for dependency drift.
- Increase scrutiny of package maintainers, especially for packages with high download volumes, and regularly audit package codebases for suspicious changes/obfuscation.
- Enforce least privilege principles for build and development environments to limit the impact of executed arbitrary code.