Over the weekend, multiple React Native Aria packages for GlueStack were backdoored as part of a supply chain attack.
The targeted React Native application development packages, some of which had not been updated in years, are highly popular, having a combined weekly download count of over one million.
Maintained by GlueStack, the compromised packages include react-native-aria/focus, utils, overlays, interactions, toggle, switch, checkbox, radio, button, menu, listbox, tabs, combobox, disclosure, slider, and separator, as well as gluestack-ui/utils.
According to Aikido, the attack appears linked to the early-May compromise of rand-user-agent, in which a threat actor used an outdated automation token that lacked two-factor authentication protection to publish malicious versions of the package to the NPM registry.
The malicious rand-user-agent versions would fetch and execute a backdoor named Python3127 PATH Hijack, capable of file and folder manipulation, shell command execution, and payload execution.
Now, Aikido identified a similar backdoor being delivered in the fresh supply chain attack, after the attackers hid the malicious code in modified versions of the react-native-aria and gluestack-ui packages using whitespace-based obfuscation, pushing the code off screen.
The supply chain attack followed the same pattern as the rand-user-agent incident last month: a public access token for an authorized maintainer’s account was compromised, allowing the attackers to publish modified versions of the 17 packages, the React Native Aria maintainers say.
However, they downplayed the attack’s impact, explaining that no code execution could have occurred on users’ systems.
“React Native Aria is a frontend-only library. It does not execute any code in CLI or scripts post-install, meaning the likelihood of the malicious code executing on user systems is extremely low to none. Based on our current understanding and usage patterns, no system-level compromises are expected,” they explain.
In response to the attack, the team deprecated the malicious package versions and reverted to clean, verified releases, and launched an audit of access logs and dependencies.
They also revoked all compromised tokens that had access to NPM, removed access for the affected users, revoked GitHub access for non-essential contributors, and enabled 2FA for publishing and GitHub access.
The maintainers recommend that all users check their package-lock.json or yarn.lock files to identify compromised package versions and immediately update to verified package versions from NPM.
“We understand how critical trust is in open source. We’re taking this breach very seriously, and while the impact appears limited, we’re making long-term security improvements across our entire ecosystem,” they note.
Related: Malicious NPM Packages Disguised as Express Utilities Allow Attackers to Wipe Systems
Related: Popular Scraping Tool’s NPM Package Compromised in Supply Chain Attack
Related: Compromised SpotBugs Token Led to GitHub Actions Supply Chain Hack
