Active NPM Attack Escalates: 16 React Native Packages for GlueStack Backdoored Overnight

June 7, 2025

A massive supply chain escalation occurred overnight as sophisticated threat actors successfully backdoored 16 distinct React Native packages associated with the widely utilized GlueStack framework. The compromised packages, which are embedded within a broad open-source ecosystem accumulating over a million weekly downloads, contain a stealthy, heavily obfuscated Remote Access Trojan (RAT). Because the malicious payload uses advanced code obfuscation, it easily bypasses standard static application security testing (SAST) tools. Once pulled into a mobile application build, the RAT establishes a persistent, unauthorized command-and-control connection from the developer machine or the user's endpoint, allowing remote execution and system takeover.Mobile development teams must immediately halt all active build processes using GlueStack components and audit their complete dependency tree. All 16 backdoored React Native packages must be purged and replaced with verified, clean releases from the core maintainers. Teams should deploy runtime application self-protection (RASP) mechanisms and ensure that endpoint protection platforms are updated to identify the specific obfuscation patterns used by this Remote Access Trojan.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?