Two React Native npm packages from the same publisher were backdoored on March 16, 2026, in a coordinated supply chain attack. Both `react-native-country-select@0.3.91` and `react-native-international-phone-number@0.11.8` had an identical obfuscated `preinstall` hook added that triggers a multi-stage Windows credential and crypto stealer on `npm install`. The attack chain uses Solana RPC to deliver a stage-two payload, AES-decrypts a third stage, establishes persistence via Windows scheduled tasks and registry keys, uses Google Calendar as an indirection layer, downloads a full Node.js runtime, steals browser wallet extensions (MetaMask, Exodus, Trust Wallet, etc.), and exfiltrates npm and GitHub credentials. The malware skips execution on Russian-locale systems. Combined weekly downloads for the two packages exceeded 29,000. Indicators of compromise and detection guidance are provided.
Table of contents
What HappenedHow The Malware WorkedEvidenceWhat The Recovered Payload DoesConclusionIndicators Of CompromiseDetection and ProtectionSort: