Malware - Glassworm Targets Popular React Native Packages
Basically, hackers secretly added malware to popular coding tools to steal passwords and cryptocurrency.
A serious supply chain attack has hit popular React Native packages, allowing hackers to steal credentials and cryptocurrency. Developers are at risk, especially those using the affected packages. Immediate action is required to secure systems and prevent further theft.
What Happened
On March 16, 2026, a coordinated supply chain attack rocked the developer community. A threat actor known as Glassworm backdoored two widely used React Native npm packages: react-native-country-select@0.3.91 and react-native-international-phone-number@0.11.8. These packages, published by the same publisher, AstrOOnauta, had been trusted by developers, accounting for over 134,887 downloads in the month prior to the attack. The malicious packages transformed into silent credential and cryptocurrency stealers, making them a serious threat to developers and their projects.
The attack was cunningly executed. Developers running a standard npm install command unknowingly triggered the malware. This was due to the introduction of a new preinstall hook that executed a heavily obfuscated JavaScript file called install.js, making the infection nearly invisible. The malicious behavior was introduced deliberately, suggesting a targeted modification rather than an accidental build mistake.
Who's Affected
The impact of this attack is widespread. Any developer who used the affected packages for mobile applications involving phone number input or country selection is at risk. With 29,763 downloads occurring in the week of the attack alone, many projects that pulled these packages as indirect dependencies are also vulnerable. This means that even developers who did not directly install the malicious packages could still face serious security issues.
The packages were published just three days after clean versions were released, indicating a well-planned attack. The scale of potential exposure is alarming, as many developers may not realize their systems have been compromised until it's too late.
Signs of Infection
Once the install.js script executed, it initiated a multi-stage infection process. The malware first scanned for Russian language markers and timezone offsets. If these indicators were present, the malware ceased operation, a tactic often employed by Russian-speaking threat actors. If the checks cleared, the malware proceeded to query a Solana blockchain account to retrieve further instructions, using a public blockchain account as a delivery relay to avoid detection.
The final payload was a complete Windows-focused stealer that targeted various cryptocurrency wallets and npm tokens. This included wallet data from popular services like MetaMask and Trust Wallet, as well as GitHub credentials. The stealthy nature of the attack makes it particularly dangerous, as many developers may not notice any unusual activity until it is too late.
How to Protect Yourself
Developers are urged to take immediate action. First, audit lock files for the affected versions of the packages. If either react-native-country-select@0.3.91 or react-native-international-phone-number@0.11.8 was installed, treat the machine as compromised. Rotate all npm tokens, GitHub credentials, and cryptocurrency wallet keys that were accessible on affected systems.
Additionally, review outbound network logs for connections to suspicious IP addresses linked to the attack. It's crucial to audit package lifecycle scripts and flag any unexpected preinstall hooks in build environments to reduce exposure to similar supply chain attacks in the future. By staying vigilant and proactive, developers can better protect their projects from malicious threats like Glassworm.
Cyber Security News