Active NPM Attack Escalates: 16 React Native Packages for GlueStack Backdoored Overnight
A massive supply chain escalation occurred overnight as sophisticated threat actors successfully backdoored 16 distinct React Native packages associated with the widely utilized GlueStack framework. The compromised packages, which are embedded within a broad open-source ecosystem accumulating over a million weekly downloads, contain a stealthy, heavily obfuscated Remote Access Trojan (RAT). Because the malicious payload uses advanced code obfuscation, it easily bypasses standard static application security testing (SAST) tools. Once pulled into a mobile application build, the RAT establishes a persistent, unauthorized command-and-control connection from the developer machine or the user's endpoint, allowing remote execution and system takeover.Mobile development teams must immediately halt all active build processes using GlueStack components and audit their complete dependency tree. All 16 backdoored React Native packages must be purged and replaced with verified, clean releases from the core maintainers. Teams should deploy runtime application self-protection (RASP) mechanisms and ensure that endpoint protection platforms are updated to identify the specific obfuscation patterns used by this Remote Access Trojan.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.
Related Articles





