A significant supply chain attack recently targeted NPM, compromising 16 popular Gluestack ‘react-native-aria’ packages. With over 950,000 weekly downloads, these packages were infiltrated to include malicious code functioning as a Remote Access Trojan (RAT).
The compromise was identified on June 6 at 4:33 PM EST, following the publication of a new version of the react-native-aria/focus package. This incident highlights the ongoing vulnerabilities within software supply chains, as 16 out of the 20 Gluestack react-native-aria packages were found to be compromised.
Discovery of the Attack
Cybersecurity firm Aikido Security was instrumental in uncovering this attack. They detected obfuscated code in the lib/index.js file across various affected packages, including:
| Package Name | Version | Weekly Downloads |
|---|---|---|
| react-native-aria/button | 0.2.11 | 51,000 |
| react-native-aria/checkbox | 0.2.11 | 81,000 |
| react-native-aria/combobox | 0.2.10 | 51,000 |
| react-native-aria/disclosure | 0.2.9 | 3 |
| react-native-aria/focus | 0.2.10 | 100,000 |
| react-native-aria/interactions | 0.2.17 | 125,000 |
| react-native-aria/listbox | 0.2.10 | 51,000 |
| react-native-aria/menu | 0.2.16 | 22,000 |
| react-native-aria/overlays | 0.3.16 | 96,000 |
| react-native-aria/radio | 0.2.14 | 78,000 |
| react-native-aria/switch | 0.2.5 | 477 |
| react-native-aria/toggle | 0.2.12 | 81,000 |
| react-native-aria/utils | 0.2.13 | 120,000 |
| gluestack-ui/utils | 0.1.17 | 55,000 |
| react-native-aria/separator | 0.2.7 | 65 |
| react-native-aria/slider | 0.2.13 | 51,000 |
These packages not only enjoy substantial popularity but also present a considerable risk due to their widespread usage. The malicious code is intricately obfuscated, appended to the final line of the source code, and is padded with spaces, rendering it difficult to identify through standard code reviews.
Functionality of the Malicious Code
Aikido Security confirmed that the malicious code resembles a Remote Access Trojan previously identified during a separate NPM compromise. Analysis reveals that this RAT connects to the attackers’ command-and-control server to execute commands remotely.
The commands embedded in the malware include, but are not limited to:
cd: Change the current working directory.ss_dir: Reset the directory to the script’s path.ss_fcd: Force change directory.ss_upf:f,d: Upload a single filefto destinationd.ss_upd:d,dest: Upload all files under directorydto destinationdest.ss_stop: Sets a flag to terminate the current upload process.- Other inputs: Treated as shell commands and executed via
child_process.exec().
Moreover, the trojan employs Windows PATH hijacking by prefixing a fictitious Python path (%LOCALAPPDATA%\Programs\Python\Python3127) to the environment variable PATH, allowing it to usurp legitimate Python or pip commands in favor of executing malicious binaries.
Response from the Community
Charlie Eriksen, an Aikido security researcher, attempted to notify Gluestack about the compromise by opening GitHub issues on each of their repositories, but to date, there has been no response. "No response from package maintainers (it’s morning on a Saturday in the US, which may explain the delay)," Eriksen noted.
Aikido has reported each affected package to NPM, although the remediation is typically a multi-day process. This incident appears to connect to the same threat actors responsible for compromising four additional NPM packages earlier that week, indicating an ongoing threat landscape.
BleepingComputer has also reached out to Gluestack for comments regarding the compromised packages, but no reply has been received at this moment. This attack serves as a critical reminder of the vulnerabilities intrinsic to supply chain processes and highlights the need for enhanced security measures in software development practices.