After 17 well-known Gluestack ‘@react-native-aria’ packages with over a million downloads were compromised to contain malicious code that functions as a remote access trojan (RAT), NPM was the target of a serious supply chain attack.
The supply chain attack was discovered by cybersecurity firm Aikido Security, who discovered obfuscated code injected into the lib/index.js file for the following packages:
Package Name Version Weekly Downloads
@react-native-aria/button 0.2.11 51,000
@react-native-aria/checkbox 0.2.11 81,000
@react-native-aria/combobox 0.2.10 51,000
@react-native-aria/disclosure 0.2.9 3
@react-native-aria/focus 0.2.10 100,000
@react-native-aria/interactions 0.2.17 125,000
@react-native-aria/listbox 0.2.10 51,000
@react-native-aria/menu 0.2.16 22,000
@react-native-aria/overlays 0.3.16 96,000
@react-native-aria/radio 0.2.14 78,000
@react-native-aria/switch 0.2.5 477
@react-native-aria/toggle 0.2.12 81,000
@react-native-aria/utils 0.2.13 120,000
@gluestack-ui/utils 0.1.17 55,000
@react-native-aria/separator 0.2.7 65
@react-native-aria/slider 0.2.13 51,000
@react-native-aria/tabs 0.2.14 70,000
These packages are very popular, with approximately 1,020,000 weekly downloads, making this a massive supply chain attack that could have widespread consequences
Read more about this story on Bleeping Computer