A sophisticated supply chain attack targeting developers using popular React Native packages was detected on March 16, 2026. The threat actor, identified as Glassworm, compromised two widely downloaded npm packages, react-native-country-select and react-native-international-phone-number, turning them into tools for silently stealing credentials and cryptocurrency. This incident highlights critical vulnerabilities in the software development lifecycle.
The malicious versions, [email protected] and [email protected], were published by the same developer, AstrOOnauta, within minutes of each other. These packages, frequently used for mobile user interface elements such as phone number input and country selection, have collectively accumulated over 134,887 downloads in the month leading up to the attack. The attack’s insidious nature required no specific user action; a standard npm install operation was sufficient to trigger the malware.
Glassworm’s Multi-Stage React Native npm Malware Attack
The attack unfolded through a meticulously crafted multi-stage execution chain designed for stealth. Upon execution on a Windows machine, the initial JavaScript file, install.js, obfuscated to evade detection, performed a locale check. It scanned for indicators of Russian language settings and associated time zone offsets. If these were detected, the malware would cease execution, a common behavior observed in malware linked to Russian-speaking threat actors.
Failing the locale check, the installer would then interact with a Solana blockchain account. Using the getSignaturesForAddress RPC method, it retrieved a base64-encoded URL concealed within a transaction memo. This innovative use of a public blockchain as a delivery relay for the stage-two payload significantly complicated traditional domain or network-based blocking efforts. Researchers at Aikido successfully identified the backdoored packages and reconstructed the infection chain, decrypting subsequent payloads without executing them.
The analysis revealed that the loader file was identical across both compromised packages, sharing the same SHA-256 hash. Crucially, the version updates were otherwise legitimate, with only the `install.js` file and a corresponding `preinstall` entry in `package.json` being modified. This indicates a deliberate and targeted compromise rather than an accidental build error. The clean versions immediately preceding the malicious releases, @0.3.9 and @0.11.7, were published just three days prior on March 13, 2026, and did not contain any malicious hooks.
The potential exposure was substantial. In the week of the attack alone, the two packages saw a combined 29,763 downloads. Developers building mobile applications that incorporate phone number input or country selection features were directly at risk. However, any project that utilized these packages, even as indirect dependencies, faced the same threat.
Unpacking the Later Stages of the Attack
Following the blockchain-based retrieval of the stage-two script, further decryption keys were supplied to unlock the stage-three payload. This final stage constituted a comprehensive Windows-focused stealer. To ensure persistence, the stage-three payload established itself via Windows Task Scheduler and the `Run` registry key. Subsequently, a Google Calendar link was employed as an additional relay mechanism before the malware began downloading further components from an attacker-controlled server.
The ultimate objective of the payload was to exfiltrate sensitive data. It systematically targeted and swept wallet data from several popular cryptocurrency wallets, including MetaMask, Exodus, Atomic, Guarda, Coinomi, Trust Wallet, and OKX Wallet. In addition to cryptocurrency credentials, the malware also harvested stored npm tokens and GitHub credentials through native credential commands, effectively compromising developer accounts and sensitive project information.
Security researchers strongly advise developers to immediately audit their project lock files for instances of [email protected] or [email protected]. Any machine that installed either of these versions should be treated as potentially compromised. It is imperative to rotate all npm tokens, GitHub credentials, and cryptocurrency wallet keys that were accessible on affected systems as a precautionary measure.
Furthermore, reviewing outbound network logs for connections to the IP addresses 45[.]32[.]150[.]251 and 217[.]69[.]3[.]152 is recommended for identifying potential instances of this attack. Auditing package lifecycle scripts and actively flagging any unexpected `preinstall` hooks within build environments are crucial steps in mitigating exposure to similar supply chain attacks in the future. The ongoing investigation will focus on identifying further potential compromises and refining detection mechanisms.