Glassworm hits popular React Native packages with credential-stealing npm malware

A coordinated supply chain attack hit the React Native ecosystem on March 16, after two widely used npm packages were backdoored with malware that runs during a normal install. Aikido Security says the affected releases were [email protected] and [email protected], both published by the same maintainer within minutes of each other.

The risk was not limited to developers who manually executed suspicious code. According to Aikido, the malicious versions added a preinstall hook, which means a routine npm install on a developer machine, CI runner, or build agent could trigger the infection before the package even finished installing.

That makes this a serious software supply chain incident. These packages handle common mobile UI tasks such as country selection and phone number input, which makes them easy to trust and easy to inherit indirectly through other projects. Aikido reported that the two packages together had 29,763 downloads in the week before discovery and 134,887 downloads over the prior month.

What happened

Aikido said both malicious releases were published on March 16, 2026, with [email protected] appearing first at 10:49:29 UTC and [email protected] following at 10:54:18 UTC. The clean adjacent versions had been published just three days earlier, on March 13.

Researchers said the malicious changes were tightly scoped and deliberate. In both packages, the attack introduced a new install.js file and a matching preinstall entry in package.json. Aikido also said the loader file was byte-identical across both packages, sharing the same SHA-256 hash, which strongly suggests a coordinated compromise rather than an accidental build issue.

One detail stands out. Aikido said [email protected] depended on the earlier clean version of react-native-country-select, not the malicious 0.3.91, which suggests both packages were independently backdoored rather than one malicious package infecting the other through a dependency chain.

How the malware worked

The attack began with a preinstall hook that launched an obfuscated install.js script. Aikido said that script reached out to external infrastructure, fetched a second-stage payload, and executed it dynamically. The company followed the same chain used by the malware and recovered the later stages without detonating them directly.

According to Aikido, the malware then checked the target system for Russian language markers and Russian-linked timezone settings. If those signals were present, it stopped. That kind of geographic avoidance behavior is common in malware operations linked to Russian-speaking cybercriminal activity, though it does not by itself prove attribution.

The next stage used a public Solana blockchain account as a relay. Aikido said the installer queried the Solana RPC method getSignaturesForAddress to recover a base64-encoded URL stored in a transaction memo. That design made the delivery path harder to block with standard domain filtering because the stage-two location was not simply hardcoded in a normal web request.

From there, the second-stage script supplied decryption keys for the third-stage payload, which Aikido described as a Windows-focused stealer. The final malware reportedly established persistence, used a Google Calendar link as another relay, and pulled more components from attacker-controlled infrastructure.

What the final payload tried to steal

Aikido said the third-stage malware targeted both developer credentials and cryptocurrency assets. The report says it harvested stored npm tokens and GitHub credentials, while also searching for wallet data tied to MetaMask, Exodus, Atomic, Guarda, Coinomi, Trust Wallet, and OKX Wallet.

That combination makes the incident especially dangerous. Stolen npm or GitHub credentials can fuel follow-on supply chain attacks, while stolen wallet data creates a direct financial incentive for the attackers. This is also consistent with Glassworm’s earlier activity, which BleepingComputer reported had targeted GitHub, npm, OpenVSX, and crypto wallet data through malicious developer packages and extensions.

Why this attack matters

This case shows how little user interaction a supply chain attack may need. Developers did not have to open a suspicious file or click a phishing link. Installing or updating a dependency was enough. Because the malicious code ran in a lifecycle hook, the compromise could happen quietly during ordinary development or CI activity.

It also shows how attackers keep abusing trusted distribution channels. npm packages often sit inside automated workflows, and build environments may grant them network access, tokens, and filesystem access by default. Once malware lands in that path, the blast radius can reach far beyond a single laptop.

Affected packages and key details

Package	Malicious version	Prior clean adjacent version	Publisher	Published on March 16
react-native-country-select	0.3.91	0.3.9	AstrOOnauta	Yes
react-native-international-phone-number	0.11.8	0.11.7	AstrOOnauta	Yes

Source: Aikido Security.

Infection chain at a glance

Stage	What happens	Why it matters
Install	npm install triggers preinstall	No extra user action needed
Loader	Obfuscated install.js runs	Malware begins before package install completes
Filtering	System checks Russian locale and timezone markers	Malware may avoid certain systems
Relay	Solana RPC retrieves stage-two pointer	Delivery path becomes harder to block
Decryption	Stage two unlocks stage three	Multi-stage design hides intent
Theft	Final payload targets credentials and wallets	Both developer and financial assets are at risk

Source: Aikido Security.

What developers should do now

Teams should immediately audit lockfiles, package manifests, CI logs, and build caches for the two malicious versions. Any machine that installed either package version should be treated as potentially compromised, especially if it ran on Windows.

Credentials also need urgent attention. Aikido recommends rotating npm tokens, GitHub credentials, and any wallet or API secrets that were accessible from affected systems. Security teams should also review outbound connections for the IP addresses and relay infrastructure listed in the research.

Looking ahead, this is another reminder to monitor npm lifecycle scripts closely. Unexpected preinstall or postinstall behavior deserves immediate scrutiny, especially in packages that do not normally need install-time execution. Similar npm malware campaigns in 2025 also relied on install hooks to auto-run credential stealers, which shows this technique remains effective.

Bottom line

The Glassworm campaign did not target obscure developer tools. It hit common React Native packages that many teams could install without a second thought. Aikido’s research suggests the attackers used a clean, coordinated modification that turned routine dependency installation into a malware delivery channel.

For developers and security teams, the lesson is clear. Treat package lifecycle hooks as part of your attack surface, and assume any machine that installed the malicious releases may have exposed credentials, tokens, or wallet data. In software supply chain attacks, the most dangerous code is often the code nobody expected to run.

FAQ