Cybersecurity researchers have flagged supply chain attacks that target 12 packages associated with Gluestack to deliver malware.
The malware introduced via a change to “lib/commonjs/index.js” allows attackers to run shell commands, take screenshots, and upload files to infected machines, Aikido Security said these packages collectively explain nearly 1 million downloads each week.
Unauthorized access can then be used to perform a variety of subsequent actions, such as mining cryptocurrency, theft of sensitive information, or even shutting down services. Aikido said the initial package compromise was detected by GMT on June 6, 2025 at 9:33pm.
Here is a list of affected packages and affected versions –
- @gluestack-ui/utils version 0.1.16 (download 101)
- @gluestack-ui/utils version 0.1.17 (download 176)
- @React-Native-Aria/Button version 0.2.11 (download 174)
- @React-Native-Aria/Checkbox Version 0.2.11 (577 download)
- @React-Native-Aria/Combobox version 0.2.8 (download 167)
- @React-Native-Aria/Disclosure version 0.2.9 (n/a)
- @React-Native-Aria/Focus version 0.2.10 (download 951)
- @React-Native-Aria/Interactions version 0.2.17 (420 downloads)
- @React-Native-Aria/Listbox Version 0.2.10 (download 171)
- @React-Native-Aria/Menu version 0.2.16 (download 54)
- @React-Native-Aria/Overlay version 0.3.16 (751 download)
- @React-Native-Aria/Radio version 0.2.14 (570 downloads)
- @React-Native-Aria/Slider version 0.2.13 (download 264)
- @React-Native-Aria/Switch version 0.2.5 (56 downloads)
- @React-Native-Aria/Tabs version 0.2.14 (download 170)
- @React-Native-Aria/Toggle version 0.2.12 (download 589)
- @React-Native-Aria/Utils version 0.2.13 (download 341)
Furthermore, the malicious code injected into the package is similar to the remote access trojan that was delivered following a compromise on another NPM package, “Rand-User-Agent” last month, indicating that the same threat actor could be behind the activity.
Trojan is an updated version that supports two new commands to collect system information (“SS_INFO”) and host public IP addresses (“SS_IP”).
The project maintainer then revoked the access token and marked the affected version as deprecated. Users who may have downloaded the malicious version are advised to roll back to the safe version to mitigate the potential threat.
“The potential impact is large and the malware persistence mechanism is particularly concerning. Attackers are still maintaining access to infected machines even after maintainers update their packages,” the company said in a statement.
Malicious packages found in NPM unlock destructive features
This development discovered two rogue NPM packages because it discovered two rogue NPM packages that implant wipers that have sockets equipped with legitimate utility but can remove the entire application directory.
Packages issued by the account “Botsailer” (email: anupm019@gmail(.)com) were downloaded 112 times and 861 times before being deleted, respectively.
The first of the two packages in Express-API-Sync claims to be Express APIs for synchronizing data between two databases. However, when an unsuspecting developer installs and adds it to an application, receiving an HTTP request using the hardcoded key “Default_123” triggers execution of malicious code.
Upon receiving the key, it runs the UNIX command “RM -RF *” to recursively delete all files from the current directory, including source code, configuration files, assets, local databases, etc.
Other packages are more refined and act as both information stolen goods and wipers, modifying the delete command based on whether the operating system is Windows (“rd/s/q.”) or linux (“rm -rf *”).
“If Express-API-Sync is a blunt instrument, the System-Health-Sync-API is a Swiss military knife in destruction with intelligence gathering,” said security researcher Kush Pandya.
A notable aspect of the NPM package is that it connects to attacker-controlled mailboxes via attacker-controlled SMTP credentials and uses email as a secret communication channel. The password is obfuscated using base64 encoding, while the username refers to an email address with a domain associated with an India-based real estate agency (“auth@corehomes(.)in”).
“All important events trigger an email to anupm019@gmail(.)com,” Socket said. “This email contains a full backend URL and may expose internal infrastructure details, development environments, or unpublished staging servers.”
Using SMTP for data stripping is despicable, as most firewalls don’t block email traffic.
Additionally, the package resumes the endpoints with “/_/System/Health” and “/_/sys/Maintenance” to unleash platform-specific destruction commands.
“Attackers will first check the backdoor via Get/_/System/Health, which returns the server’s hostname and status,” explained Pandya. “If configured, test in dry run mode and perform the destruction using Post/_/System/Health or Backup Post/_/sys/Maintenance Endpoint. Key “Helloworld”.
The discovery of two new NPM packages shows that threat actors are beginning to diverge beyond using information and cryptocurrency theft to focus on system sabotage.
The Pypi package lists its attitude as an Instagram growth tool for harvesting credentials
It also comes when software supply chain security companies discover the new Python-based credentialing IMAD213 in their Python Package Index (PYPI) repository, which they claim to be a growth tool for Instagram. According to statistics published on Pepy.tech, the package has been downloaded 3,242 times.
“The malware uses Base64-Encoding to hide its true nature and implements a remote kill switch via the Netlify-Hosted control file,” says Pandya. “When run, it will broadcast to 10 different third-party bot services, prompting users with Instagram credentials and pretending to increase their followers.”
The Python library was uploaded by a user IM_AD__213 (aka IMAD-213) that joined the registry on March 21, 2025, and uploaded three other packages (Taya, A-B27) or Leverage apach Bench (Apach of opsedims-opsedims) to target and three other packages targeting the target and target targets on Facebook, Gmail, Twitter and VK Credentials (Taya, A-B27). (POPPO213).
Below is a list of packages that can still be downloaded from Pypi –
- IMAD213 (3,242 downloads)
- Taya (930 downloads)
- A-B27 (996 download)
- Poppo213 (3,165 downloads)
In the GitHub readme.md document published by IMAD-213 about two days before “IMAD213” was uploaded to PYPI, threat actors note that they are not responsible for misuse, claiming that the library is primarily “educational and research purposes.”
The GitHub description also includes “deceitful safety tips” that encourages users to use fake or temporary Instagram accounts to avoid encountering issues with the main account.
“This creates false security. Users think they are cautious while handing over valid credentials to attackers,” Pandia said.
Upon booting, the malware connects to an external server, reads the text file (“pass.txt”) and progresses further only if the file content matches the string “IMAD213”. Kill Switch can serve multiple purposes, allowing threat actors to determine who has access to run the library, or turn off all downloaded copies simply by changing the context of the control file.
In the next step, the library will prompt the user to enter their Instagram credentials, then saved locally in a file named “Certifications” and broadcast to 10 different suspicious bot service websites. The domain was registered in June 2021.
“The emergence of this qualification harvester reveals something about trends in malware targeting social media,” Socke said. “There are 10 different BOT services that receive credentials, so we see the early stages of the certification washing. Stolen logins are distributed across multiple services, obscuring their origins.”
