.jpg)
![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[DEALS] Internxt Cloud Storage: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From electrical engineering student to CTO with Hitesh Choudhary [Podcast #175]](https://cdn.hashnode.com/res/hashnode/image/upload/v1749158756824/3996a2ad-53e5-4a8f-ab97-2c77a6f66ba3.png?#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Michael_Vi_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Google Messages rolls out taller, 14-line text field [U]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/06/Google-Messages-2.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Planning Futuristic 'Glasswing' iPhone With Curved Glass and No Cutouts [Gurman]](https://www.iclarified.com/images/news/97534/97534/97534-640.jpg)
Popular NPM packages with over a million downloads hit by malware
Researchers discovered 17 NPM packages laden with malware.
- 17 NPM packages with more than a million weekly downloads were compromised to deliver a RAT
- The attack could turn into a major supply chain attack, experts warned
- The packages were since deprecated, but users should be on their guard
More than a dozen packages on NPM were poisoned with a Remote Access Trojan (RAT), possibly infecting millions of projects.
Cybersecurity researchers Aikido Security recently discovered malicious code buried very deep in 17 popular Gluestack packages.
The packages cumulatively have more than a million downloads weekly, meaning huge amounts of users could possibly be affected, the experts warned.
Revoking access tokens
Here is the full list of compromised packages:
- @react-native-aria/button
- @react-native-aria/checkbox
- @react-native-aria/combobox
- @react-native-aria/disclosure
- @react-native-aria/focus
- @react-native-aria/interactions
- @react-native-aria/listbox
- @react-native-aria/menu
- @react-native-aria/overlays
- @react-native-aria/radio
- @react-native-aria/switch
- @react-native-aria/toggle
- @react-native-aria/utils
- @gluestack-ui/utils
- @react-native-aria/separator
- @react-native-aria/slider
- @react-native-aria/tabs
The packages deployed malicious code that connected to the attackers’ command-and-control (C2) and received additional commands including, among other things, the ability to upload a single, or multiple files.
Furthermore, the trojan can execute Windows PATH hijacking and silently override legitimate python and pip commands.
In response, Gluestack revoked an access token used to publish the compromised packages. All of the poisoned tools are marked on NPM as deprecated.
"Unfortunately, unpublishing the compromised version wasn’t possible due to dependent packages," a GlueStack developer said on GitHub. "As a mitigation, I have deprecated the affected versions and updated the latest tag to point to a safe, older version."
The Node Package Manager (NPM) is the default package manager for the JavaScript runtime environment Node.js. It is used to install libraries, share packages with the community, manage dependencies, run scripts, and more.
As such, it is vastly popular, having millions of monthly visitors, and hundreds of thousands of registered accounts that frequently publish their packages.
Unfortunately, popular platforms attract threat actors in droves, and situations such as this one are not uncommon on NPM, or similar platforms such as GitHub or PyPi.
Via BleepingComputer
You might also like
- NPM users warned dozens of malicious packages aim to steal host and network data
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
