Popular Dev Tools Hijacked in Stealth Malware Campaign

Malicious Code Infects Over 950K Weekly Downloads in Popular Dev Packages

Supply-Chain Attack Breaches Package Registry

Cybersecurity researchers have uncovered a live supply-chain breach targeting 16 npm “GlueStack” packages used within the React Native ecosystem. These compromised modules collectively see nearly 1 million downloads per week.

Nature of the Embedded Threat

The introduced malicious code operates as a Remote Access Trojan (RAT), enabling attackers to run shell commands, take screenshots, and upload arbitrary files on vulnerable systems.

Stealth Techniques and Persistence Model

Attackers inserted heavily obfuscated scripts hidden within core library files (lib/index.js), using whitespace-padding to dodge casual inspection. Even when package maintainers update to safe versions, the RAT remains active on infected machines.

Campaign Scope and Targets

The initial breach occurred on June 6, and within hours, 16 modules ranging from UI utilities to React Native accessibility tools were compromised. Each affected package has significant usage—some exceeding 100,000 weekly installs.

Mitigation and Remediation Steps

To reduce exposure, developers should:

- Revert to previously published safe versions of affected packages.
- Check systems for connections to known command-and-control servers.
- Inspect for unexpected files in paths like %LOCALAPPDATA%\Programs\Python\Python3127 on Windows.
- Monitor systems for unusual shell execution behavior.

Why This Matters to Developers and Enterprises

This incident highlights how code dependencies can be weaponized to stealthily infect development and production environments, facilitating data theft, crypto-mining, or full system compromise. It underscores the critical need for strict dependency hygiene and runtime monitoring.