Malicious Code Lurked in Popular React Native Packages: A Supply Chain Scare for Developers

In a stark reminder of the vulnerabilities inherent in software development, two widely-used packages for React Native development were briefly compromised, serving as conduits for malware designed to pilfer Windows user credentials. The incident, which unfolded on March 16, 2026, saw malicious versions of ‘react-native-country-select’ and ‘react-native-international-phone-number’ uploaded to the npm registry, the central hub for JavaScript packages. This sophisticated supply chain attack highlights the persistent threat posed by malicious actors targeting the very tools developers rely on daily.

The compromised packages, specifically versions 0.3.91 of ‘react-native-country-select’ and 0.11.8 of ‘react-native-international-phone-number’, were not just subtly altered. Instead, they contained an identical, cleverly disguised loader. This malicious code was designed to execute automatically during the standard ‘npm install’ process, a routine step for any developer incorporating these libraries into their projects. The implications are significant, as these packages, while perhaps not household names, are integral to building cross-platform mobile applications using React Native, a framework favored by many for its efficiency and reach.

Unpacking the Attack: How the Malware Spread

The core of this attack lay in its stealth and the exploitation of trust within the open-source ecosystem. When developers initiated an ‘npm install’ command for the affected versions of these packages, they weren’t just downloading code to build their applications; they were inadvertently pulling down a malicious payload. This payload, a staged loader, was designed to be executed immediately upon installation. Its primary objective was to harvest sensitive Windows user credentials. The fact that two distinct packages were targeted, both with the same malicious code, suggests a coordinated effort by threat actors aiming for maximum impact.

The attackers leveraged the inherent trust developers place in public repositories like npm. The open-source model, while fostering innovation and collaboration, also presents a significant attack surface. A single compromised package, especially one with a substantial number of downloads or dependencies, can have a ripple effect, potentially infecting numerous projects and systems. In this instance, the attackers managed to inject their malware into packages that, while not necessarily at the very top of the download charts, are still actively used by a considerable number of developers building applications for both iOS and Android.

The nature of the malware itself is concerning. Credential-stealing malware, often referred to as infostealers, aims to exfiltrate usernames, passwords, session tokens, and other sensitive authentication data. This information can then be used for a variety of nefarious purposes, including unauthorized access to user accounts, corporate networks, and financial resources. The successful deployment of such malware through a trusted package manager like npm represents a significant breach of security for the development community.

The ‘Glassworm’ Connection and Supply Chain Risks

This incident has been linked to a threat actor known as ‘Glassworm’. This group has previously been associated with sophisticated cyberattacks, often employing supply chain tactics to achieve their objectives. Their modus operandi typically involves compromising legitimate software or services to distribute their malicious payloads. By injecting malware into popular npm packages, Glassworm demonstrated a clear understanding of the software development lifecycle and the critical role of third-party libraries.

The term ‘supply chain attack’ in cybersecurity refers to an attack that targets a less secure element in the supply chain of a product or service to gain access to the ultimate target. In the context of software, this means compromising a tool, library, or service that is used by many developers. The consequences can be far-reaching, as a single point of compromise can lead to widespread infection. This latest incident serves as a potent case study in the vulnerabilities of the software supply chain.

The reliance on open-source software is a double-edged sword. It accelerates development and reduces costs, but it also means that developers are often incorporating code from sources they may not have thoroughly vetted. The npm ecosystem, with its vast repository of packages, is a prime example. While npm has security measures in place, the sheer volume of packages and the ease with which new ones can be published create opportunities for malicious actors to exploit.

Key takeaways regarding supply chain risks highlighted by this event include:

• Dependency Management: Developers must be vigilant about the dependencies they include in their projects. Regularly reviewing and updating dependencies is crucial, but so is understanding the provenance and security posture of those dependencies.
• Automated Scans: Implementing automated security scanning tools that can detect known malicious code or vulnerabilities in dependencies can provide an early warning system.
• Trust but Verify: While the open-source community thrives on trust, it’s essential to have mechanisms in place to verify the integrity of the code being used, especially for critical applications.
• Rapid Response: The speed at which malicious packages were identified and, presumably, removed from the registry is a testament to the vigilance of the security community. However, the brief window of opportunity for infection underscores the need for rapid detection and remediation.

Mitigation and Best Practices for Developers

The immediate aftermath of such an attack involves swift action from the npm security team and the broader cybersecurity community to identify and remove the malicious