Go offline with the Player FM app!
Inside the React Native NPM Supply Chain Breach: 16 Packages, 1 Million+ Downloads, and a RAT in the Code
Manage episode 487975072 series 3645080
In this episode, we break down the massive supply chain attack that rocked the React Native ecosystem beginning on June 6, 2025. Over 16 NPM packages, collectively downloaded over one million times per week, were silently weaponized with a Remote Access Trojan (RAT) embedded in obfuscated code. The attack, linked to the same threat actor behind the May 2025 rand-user-agent breach, exploited a compromised contributor token to inject malicious payloads into widely used libraries under the @react-native-aria and @gluestack-ui namespaces.
We examine how the malware embedded itself stealthily—using whitespace padding, hidden payloads, and path hijacking to achieve long-term persistence, especially on Windows systems. The trojan's capabilities include arbitrary command execution, system data exfiltration, and stealthy control via hardcoded C2 servers on non-standard ports. Despite the maintainers’ response—deprecating affected versions and implementing 2FA—experts warn that system-level compromises may already be widespread.
This incident is not isolated. We also highlight related supply chain attacks across NPM, PyPI, and even browser extensions and macOS malware. From credential theft to sabotage and full host takeovers, these threats underscore a growing trend: open-source ecosystems are high-value targets, and current trust models are not enough.
Join us for a deep technical dive into what happened, how it was detected, what makes this attack different—and what you must do now if you rely on these packages.
200 episodes
Manage episode 487975072 series 3645080
In this episode, we break down the massive supply chain attack that rocked the React Native ecosystem beginning on June 6, 2025. Over 16 NPM packages, collectively downloaded over one million times per week, were silently weaponized with a Remote Access Trojan (RAT) embedded in obfuscated code. The attack, linked to the same threat actor behind the May 2025 rand-user-agent breach, exploited a compromised contributor token to inject malicious payloads into widely used libraries under the @react-native-aria and @gluestack-ui namespaces.
We examine how the malware embedded itself stealthily—using whitespace padding, hidden payloads, and path hijacking to achieve long-term persistence, especially on Windows systems. The trojan's capabilities include arbitrary command execution, system data exfiltration, and stealthy control via hardcoded C2 servers on non-standard ports. Despite the maintainers’ response—deprecating affected versions and implementing 2FA—experts warn that system-level compromises may already be widespread.
This incident is not isolated. We also highlight related supply chain attacks across NPM, PyPI, and even browser extensions and macOS malware. From credential theft to sabotage and full host takeovers, these threats underscore a growing trend: open-source ecosystems are high-value targets, and current trust models are not enough.
Join us for a deep technical dive into what happened, how it was detected, what makes this attack different—and what you must do now if you rely on these packages.
200 episodes
All episodes
×
1 Taiwan Sounds the Alarm: TikTok, WeChat, and the Chinese Data Threat 1:06:28

1 The Evolution of Atomic macOS Stealer: Backdoors, Keyloggers, and Persistent Threats 45:00

1 CitrixBleed Returns: CVE-2025-5777 and the Exploitation of NetScaler Devices 1:02:21

1 SAP’s July 2025 Patch Day: Critical Flaws, CVE-2025-30012, and Ransomware Risk 1:02:01

1 106GB Exposed? Telefónica, HellCat, and the Silent Data Breach 50:33

1 Ingram Micro’s SafePay Ransomware Breach: Human-Operated Threats and Supply Chain Fallout 59:56

1 The Illusion of Shutdowns: What Hunters International's Closure Really Means 42:41

1 CISA Flags CVE-2025-6554: Patching Chrome’s Critical Flaw Before It’s Too Late 40:49

1 ANSSI vs. Houken: France Battles Advanced Chinese Hacking Threat 33:16

1 Psychological Manipulation and AI Fraud: How Spain Exposed a $12M Scam 17:21

1 CVE-2025-20309: Critical Cisco Root Access Flaw Threatens VoIP Security 41:32

1 macOS Under Siege: NimDoor Malware Targets Telegram, Wallets, and Keychains 43:09

1 Cisco Unified CM Vulnerability: Root Access Risk for Enterprise VoIP Networks 56:02

1 Forminator Flaw Exposes WordPress Sites to Takeover Attacks: Vulnerability Threatens 600,000+ Sites 50:32

1 Kelly Benefits Breach: Over 550,000 Victims and the Rising Identity Theft Crisis 1:08:04
Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.