Subj : Popular NPM packages with over a million downloads hit by malware To : All From : TechnologyDaily Date : Mon Jun 09 2025 15:30:09 Popular NPM packages with over a million downloads hit by malware Date: Mon, 09 Jun 2025 14:25:00 +0000 Description: Researchers discovered 17 NPM packages laden with malware. FULL STORY ======================================================================17 NPM packages with more than a million weekly downloads were compromised to deliver a RAT The attack could turn into a major supply chain attack, experts warned The packages were since deprecated, but users should be on their guard More than a dozen packages on NPM were poisoned with a Remote Access Trojan (RAT), possibly infecting millions of projects. Cybersecurity researchers Aikido Security recently discovered malicious code buried very deep in 17 popular Gluestack packages. The packages cumulatively have more than a million downloads weekly, meaning huge amounts of users could possibly be affected, the experts warned. Revoking access tokens Here is the full list of compromised packages: @react-native-aria/button @react-native-aria/checkbox @react-native-aria/combobox @react-native-aria/disclosure @react-native-aria/focus @react-native-aria/interactions @react-native-aria/listbox @react-native-aria/menu @react-native-aria/overlays @react-native-aria/radio @react-native-aria/switch @react-native-aria/toggle @react-native-aria/utils @gluestack-ui/utils @react-native-aria/separator @react-native-aria/slider @react-native-aria/tabs The packages deployed malicious code that connected to the attackers command-and-control (C2) and received additional commands including, among other things, the ability to upload a single, or multiple files. Furthermore, the trojan can execute Windows PATH hijacking and silently override legitimate python and pip commands. In response, Gluestack revoked an access token used to publish the compromised packages. All of the poisoned tools are marked on NPM as deprecated. "Unfortunately, unpublishing the compromised version wasnt possible due to dependent packages," a GlueStack developer said on GitHub. "As a mitigation, I have deprecated the affected versions and updated the latest tag to point to a safe, older version." The Node Package Manager (NPM) is the default package manager for the JavaScript runtime environment Node.js. It is used to install libraries, share packages with the community, manage dependencies, run scripts, and more. As such, it is vastly popular, having millions of monthly visitors, and hundreds of thousands of registered accounts that frequently publish their packages. Unfortunately, popular platforms attract threat actors in droves, and situations such as this one are not uncommon on NPM, or similar platforms such as GitHub or PyPi. Via BleepingComputer You might also like NPM users warned dozens of malicious packages aim to steal host and network data Take a look at our guide to the best authenticator app We've rounded up the best password managers ====================================================================== Link to news story: https://www.techradar.com/pro/security/popular-npm-packages-with-over-a-millio n-downloads-hit-by-malware --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .