StepSecurity detected a three-wave supply chain attack on two popular React Native npm packages — react-native-international-phone-number and react-native-country-select — with over 130K monthly downloads combined. The attacker gained npm account access and injected malicious preinstall hooks executing heavily obfuscated JavaScript malware. The malware uses a Solana blockchain wallet as a censorship-resistant C2 resolver, fetches AES-256 encrypted platform-specific payloads from a Vultr server, executes them entirely in memory, and skips Russian/CIS machines via geo-filtering. Across three waves, the attacker evolved from direct preinstall hooks to a three-layer transitive dependency chain to evade detection. The campaign is linked to the GlassWorm threat actor previously seen in the ForceMemo Python repository attack. Safe versions are react-native-international-phone-number@0.11.7 and react-native-country-select@0.4.0. Affected users should check for ~/init.json, rotate secrets, and audit outbound network logs.
Table of contents
The Compromised Packages(Account Takeover)Wave 1 Detection — March 16, 2026The Attack Continues — Wave 2: Infrastructure Staging (March 17, 2026)Wave 3: Payload Activation and Evolving Delivery (March 18, 2026)Full Attack TimelineHow the Attack WorkedConnection to ForceMemo and the GlassWorm Threat ActorStepSecurity Response Across All WavesIndicators of CompromiseWhat You Should DoAcknowledgementHow StepSecurity HelpsReferencesSort: