Backdoored React Native Packages Target Developers with Crypto-Stealing Malware
Ddos 
The JavaScript development community is on high alert following a coordinated supply chain attack targeting two popular React Native packages. Cybersecurity researchers at Aikido have unmasked a malicious event where a single publisher, known as AstrOOnauta, released backdoored updates for tools used by thousands of developers worldwide.
The attack, which occurred on March 16, 2026, compromised react-native-country-select and react-native-international-phone-number, affecting packages with a combined monthly download count of over 134,000.
Unlike attacks that require a user to run a specific command, this exploit is triggered by a routine npm install. The attacker introduced a malicious preinstall hook into the package configurationβa script that runs automatically before the legitimate installation even completes.
As the Aikido research team noted:
“Both releases added an identical install-time loader that fetches and executes a multi-stage Windows credential and crypto stealer, triggered by nothing more than a routine npm install“.
By embedding the threat in a preinstall hook, the attackers ensured that “developers, CI runners, and build agents can trigger the malware just by installing the package“.
The initial loader acts as a scout, fetching a stage-two artifact that eventually deploys a highly specialized Windows payload. This deeper malware is designed with one goal: total exfiltration of the developer’s digital life.
Key targets identified in the payload include:
- Cryptocurrency Wallets: The script explicitly searches for extension identifiers for MetaMask, Phantom, Coinbase, Rabby, OKX, and several others.
- Browser Data: It targets Chromium-family and Firefox profiles, specifically looking for “Local Extension Settings” and “User Data”.
- Developer Secrets: The malware is programmed to steal npm and GitHub credentials, potentially allowing the attackers to pivot and launch further supply chain attacks.
The malware doesn’t just steal data and vanish. It includes logic to kill active browser processes to ensure it can access locked database files, such as those belonging to Firefox or Chrome. To remain on the system, the decrypted Windows payload establishes persistence, allowing it to survive reboots and continue downloading additional components.
“The installer does not merely beacon or test the environment. It leads to a decrypted Windows payload that persists, downloads more components, steals wallet data… and exfiltrates collected archives to attacker-controlled infrastructure”.
The AstrOOnauta incident is a stark reminder of the inherent risks in modern web development, where a single update to a minor dependency can compromise an entire enterprise.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
