Glassworm Malware Compromises React Native Packages, Stealing Developer Credentials
On March 16, 2026, a sophisticated supply chain attack orchestrated by the threat actor known as Glassworm targeted the developer community by compromising two widely used React Native npm packages: `[email protected]` and `[email protected]`. These packages, essential for mobile UI tasks such as phone number input and country selection, had collectively amassed over 134,000 downloads in the month preceding the attack.
Attack Mechanism:
The malicious versions of these packages introduced a `preinstall` hook that executed an obfuscated JavaScript file named `install.js` during the installation process. This script initiated a multi-stage payload designed to steal sensitive information from developers’ systems. Notably, the attack required no special action from the victims; merely running a standard `npm install` command was sufficient to trigger the malware.
Execution Chain:
1. Locale Check: Upon execution, `install.js` first checked the system’s locale settings. If the system was set to Russian language markers or time zones, the malware terminated without further action, a tactic often employed by threat actors to avoid detection in certain regions.
2. Payload Retrieval: If the locale check passed, the script queried a Solana blockchain account to retrieve a base64-encoded URL hidden within a transaction memo. This method of using a public blockchain for payload delivery made it challenging to block the malicious URL through conventional means.
3. Decryption and Execution: The retrieved URL provided decryption keys to unlock the final payload—a Windows-focused stealer. This payload established persistence on the infected system via Windows Task Scheduler and the `Run` registry key.
4. Data Exfiltration: The stealer targeted various cryptocurrency wallets, including MetaMask, Exodus, Atomic, Guarda, Coinomi, Trust Wallet, and OKX Wallet. Additionally, it harvested stored npm tokens and GitHub credentials, posing a significant risk to developers’ projects and personal data.
Scope of Impact:
In the week of the attack alone, the compromised packages were downloaded 29,763 times, highlighting the extensive reach of this supply chain attack. Developers integrating these packages into their projects, either directly or as dependencies, were at risk of credential theft and unauthorized access to their systems.
Mitigation Measures:
Developers are strongly advised to take the following actions to mitigate the impact of this attack:
– Audit Dependencies: Review all projects for the presence of the compromised package versions (`[email protected]` and `[email protected]`). If found, remove or downgrade to secure versions immediately.
– Rotate Credentials: Given the malware’s capability to steal npm tokens and GitHub credentials, it’s crucial to rotate all potentially exposed secrets to prevent unauthorized access.
– Monitor Systems: Conduct thorough scans of development environments for signs of compromise, such as unauthorized tasks in the Windows Task Scheduler or unexpected entries in the `Run` registry key.
– Enhance Security Practices: Implement strict access controls, enable two-factor authentication for all developer accounts, and regularly update all software dependencies to their latest secure versions.
Conclusion:
The Glassworm attack underscores the critical importance of vigilance in managing software dependencies and the need for robust security practices within the development community. Supply chain attacks continue to evolve, and developers must remain proactive in safeguarding their environments against such sophisticated threats.
