A New Supply Chain Malware Operation Hits npm & PyPI

🕵️‍♂️ What Happened?

• Malicious Injection Details
  The attackers introduced a backdoor into the lib/commonjs/index.js file of over a dozen npm packages used by GlueStack. This malicious code allowed them to:

  • Execute arbitrary shell commands

  • Capture screenshots

  • Upload files from infected machines
    thehackernews.com

• Widespread Reach
  These packages amassed close to 1 million downloads per week, making the impact potentially massive thehackernews.com+1thehackernews.com+1. The first compromise was detected on June 6, 2025, at 9:33 p.m. GMT thehackernews.com.

📦 Affected Packages Snapshot

The compromised packages (with versions) included:

• @gluestack-ui/utils (0.1.16 & 0.1.17)

• A suite of @react-native-aria modules: button, checkbox, combobox, disclosure, focus, interactions, listbox, menu, overlay, radio, slider, switch, tabs, toggle, utils
  thehackernews.com

These lightweight UI utility modules are extensively used in front-end and mobile app development, making them high-impact targets.

🔒 Malicious Capabilities Explained

• Remote Access Trojan (RAT):
  The malicious payload functions like a RAT—allowing persistent remote execution, file exfiltration, screenshot capture, and dynamic command execution via APIs like ss_info and ss_ip redseal.net+7thehackernews.com+7redseal.net+7.

• Persistence & Stealth:
  Attackers designed the code to survive updates. Even if a maintainer pushes a clean package, the malware persists through its control mechanisms .

📊 Why This Attack Matters

1. Scale – Millions of users potentially exposed to malicious code.

2. Trust Erosion – Even reputable packages can be compromised.

3. Wide-Ranging Impact – Could lead to information theft, crypto-mining, service takedowns, or broader attacks.

🔍 Who’s Behind This?

The malware closely resembles a recent RAT from an unrelated npm compromise of the “rand-user-agent” package, suggesting a single threat actor or group is responsible thehackernews.com.

🛠️ Broader Context: Supply Chain Attacks in 2025

This incident is part of a growing wave of supply-chain threats. Earlier in June, independent packages on npm, PyPI, and RubyGems were flagged for various malicious behaviors: draining crypto wallets, wiping project directories, and exfiltrating credentials thehackernews.com+1thehackernews.com+1.

• Examples:

  • npm “express-api-sync”, “system-health-sync-api” — remote wipers

  • Fastlane RubyGems — credential harvesters

  • Typosquatted npm packages (e.g., “xlsx-to-json-lh”) — persistent malware
    thehackernews.comthehackernews.com+1en.wikipedia.org+1

These campaigns underscore the alarming trend: the open-source ecosystem remains vulnerable, with millions of developers at risk.

✅ Response & Remediation

• Maintainers took action:
  Access tokens revoked, malicious versions deprecated thehackernews.comthehackernews.com.

• What developers should do:

  • Audit dependencies for compromised versions

  • Roll back or update to safe releases

  • Use dependency scanning and supply-chain protection tools

  • Monitor alert services for package integrity

🔐 Long-Term Mitigations

1. Dependency Scanning: Integrate tools like Snyk, Dependabot, and GitHub’s security alerts.

2. Code Signing: Verify packages via signature validation.

3. Minimal Permissions: Use containers or sandbox environments to constrain runtime access.

4. Trustworthiness Assessment: Vet package maintainers and review changelogs.

5. Defense-in-Depth: Combine static/dynamic analysis, integrity checks, and runtime monitoring.

🧠 Lessons Learned

• No Package is Untouchable: Even infrastructure-adjacent modules are targets.

• Early Detection Saves Lives: Speedy discovery and response are critical.

• Combat at All Layers: From package management to runtime systems.

• Ecosystem Cooperation: Maintainers, vendors, and platforms must work together—fast.

📣 Final Thoughts

The June 2025 supply-chain malware attack is yet another alarming reminder: in our connected world, software trust is fragile. Developers, security teams, and organizations must proactively adopt supply-chain safeguards, adopt transparency in open-source governance, and invest in detection mechanisms—before malicious code spreads.

By promoting security hygiene—from dependency scanning to code-signing—we can all help defend our digital ecosystems. Let’s turn this wake-up call into collective resilience.