A coordinated supply chain attack struck the developer community on March 16, 2026, when a threat actor known as Glassworm backdoored two widely used React Native npm packages, turning them into silent credential and cryptocurrency stealers.
The affected packages — react-native-country-select@0.3.91 and react-native-international-phone-number@0.11.8 — were published within minutes of each other by the same publisher, AstrOOnauta, and together accounted for more than 134,887 downloads in the month before the attack.
Both packages handle mobile UI tasks like phone number input and country selection, making them trusted fixtures across many developer projects.
The attack required no special action from its targets. Any developer, CI runner, or build agent that ran a standard npm install command was enough to trigger the malware.
Both malicious releases introduced a new preinstall hook that ran a heavily obfuscated JavaScript file called install.js before the package even finished installing on the host.
This design made the infection practically invisible, as developers had no reason to suspect that a routine package update was quietly deploying a multi-stage Windows payload directly to their machines.
Aikido researchers identified both backdoored packages and traced the full execution chain by following the same steps the malware takes, recovering and decrypting the live stage-two and stage-three payloads without executing them.
Their analysis confirmed the loader file was byte-identical across both packages, sharing the same SHA-256 hash.
The version changes were also clean — the malicious behavior was introduced only through a new install.js file and a matching preinstall entry in package.json, suggesting a deliberate and targeted modification rather than a build mistake.
The scale of potential exposure was serious. In the week of the attack alone, the two packages combined for 29,763 downloads, and 134,887 over the prior month.
Clean versions immediately before the malicious releases — @0.3.9 and @0.11.7 — contained no malicious hook and had been published just three days earlier on March 13, 2026.
Developers building mobile applications with phone number input or country selection features were directly at risk, but any project that pulled these packages as indirect dependencies faced the same danger.
Multi-Stage Execution: How the Attack Unfolded
The infection chain was carefully layered, using multiple stages and legitimate third-party services to stay hidden.
Once install.js executed on a Windows machine, it first scanned the system for Russian language markers — including variables set to ru_RU, ru-RU, or Russian — and also checked timezone offsets linked to Russia.
If those signals were present, the malware stopped without taking any action, a tactic consistently seen in criminal malware associated with Russian-speaking threat actors.
If the locale check cleared, the installer queried a Solana blockchain account using the getSignaturesForAddress RPC method to retrieve a base64-encoded URL hidden inside a transaction memo.
Using a public blockchain account as a delivery relay made the stage-two address very difficult to block through conventional domain or network filtering.
The returned stage-two script then supplied decryption keys to unlock the stage-three payload — a complete Windows-focused stealer.
That third stage set up persistence through Windows Task Scheduler and the Run registry key, then used a Google Calendar link as an additional relay before pulling further components from an attacker-controlled server.
The final payload swept wallet data from MetaMask, Exodus, Atomic, Guarda, Coinomi, Trust Wallet, and OKX Wallet, while also harvesting stored npm tokens and GitHub credentials through native credential commands.
Developers should immediately audit lock files for react-native-country-select@0.3.91 or react-native-international-phone-number@0.11.8 and treat any machine that installed either version as compromised.
Rotate all npm tokens, GitHub credentials, and cryptocurrency wallet keys that were accessible on affected systems.
Review outbound network logs for connections to 45[.]32[.]150[.]251 and 217[.]69[.]3[.]152. Auditing package lifecycle scripts and flagging unexpected preinstall hooks in build environments reduces exposure to similar supply chain attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Glassworm Hits Popular React Native Packages With Credential-Stealing npm Malware appeared first on Cyber Security News.
