Malware Discovered in Popular NPM Packages with 1M+ Weekly Downloads

▼ Summary
– A supply chain attack compromised 17 popular NPM packages under ‘@react-native-aria,’ injecting malicious code acting as a remote access trojan (RAT).
– The attack began on June 6, with threat actors updating compromised packages as recently as two hours before the article’s update.
– The malicious code, heavily obfuscated and hidden in the files, connects to a command-and-control server to execute commands like file uploads and directory changes.
– Gluestack revoked the access token used in the attack and deprecated the compromised packages, but unpublishing them wasn’t possible due to dependencies.
– The attack is linked to the same threat actors behind recent compromises of four other NPM packages, with over 1 million weekly downloads affected.
A widespread supply chain attack has compromised multiple popular NPM packages with over one million weekly downloads, injecting malicious code that functions as a remote access trojan. Security researchers uncovered the breach affecting 17 packages from the Gluestack ‘@react-native-aria’ collection, with the first compromised version appearing on June 6.
Cybersecurity firm Aikido Security identified the attack after detecting obfuscated code within the packages’ index.js files. The malicious payload was cleverly hidden at the end of the files, padded with excessive whitespace to evade casual inspection. Among the affected packages are several widely used components including @react-native-aria/button, @react-native-aria/checkbox, and @react-native-aria/utils, collectively averaging more than a million installations per week.
Analysis reveals the injected code operates as a sophisticated remote access trojan capable of executing various commands from an attacker-controlled server. The malware can manipulate directories, upload files, and execute arbitrary shell commands. Security experts warn the trojan also performs Windows PATH hijacking by inserting a fake Python directory, potentially allowing attackers to intercept legitimate Python commands.
The attack bears striking similarities to another NPM compromise discovered last month, suggesting the involvement of the same threat actors. Researchers have linked this incident to four other package compromises earlier this week, indicating an ongoing campaign targeting the JavaScript ecosystem.
Despite multiple attempts to contact Gluestack through GitHub issues, the maintainers remained unresponsive initially. The company later revoked the compromised access token and deprecated the affected versions, though complete removal proved impossible due to existing dependencies. Developers are urged to immediately check their projects for any references to the compromised package versions and revert to known safe releases.
This incident highlights the growing sophistication of supply chain attacks targeting open-source ecosystems. The JavaScript community faces increasing challenges in maintaining package security, particularly with widely used dependencies that form the backbone of countless applications. Security teams continue monitoring the situation as new details emerge about the attack’s scope and impact.
(Source: BLEEPING COMPUTER)