Inside the React Native NPM Supply Chain Breach: 16 Packages, 1 Million+ Downloads, and a RAT in the Code

In this episode, we break down the massive supply chain attack that rocked the React Native ecosystem beginning on June 6, 2025. Over 16 NPM packages, collectively downloaded over one million times per week, were silently weaponized with a Remote Access Trojan (RAT) embedded in obfuscated code. The attack, linked to the same threat actor behind the May 2025 rand-user-agent breach, exploited a compromised contributor token to inject malicious payloads into widely used libraries under the @react-native-aria and @gluestack-ui namespaces.

We examine how the malware embedded itself stealthily—using whitespace padding, hidden payloads, and path hijacking to achieve long-term persistence, especially on Windows systems. The trojan's capabilities include arbitrary command execution, system data exfiltration, and stealthy control via hardcoded C2 servers on non-standard ports. Despite the maintainers’ response—deprecating affected versions and implementing 2FA—experts warn that system-level compromises may already be widespread.

This incident is not isolated. We also highlight related supply chain attacks across NPM, PyPI, and even browser extensions and macOS malware. From credential theft to sabotage and full host takeovers, these threats underscore a growing trend: open-source ecosystems are high-value targets, and current trust models are not enough.

Join us for a deep technical dive into what happened, how it was detected, what makes this attack different—and what you must do now if you rely on these packages.