On June 7, 2025, cybersecurity researchers at Aikido Security uncovered a sophisticated supply chain attack targeting 17 popular Gluestack NPM packages, collectively amassing over 960,000 weekly downloads. These React Native Aria packages, including critical components like checkbox, focus, and utils, are foundational to countless applications. The attack injected malicious code acting as a remote access trojan (RAT) into the lib/commonjs/index.js file, enabling attackers to execute shell commands, capture screenshots, and steal sensitive data such as credentials and proprietary code. This incident underscores the growing threat of supply chain attacks and the urgent need for businesses and developers to fortify their cybersecurity defenses.

Anatomy of the Gluestack NPM Attack

The Gluestack NPM Attack was meticulously crafted to evade detection. Attackers embedded obfuscated JavaScript code in the affected packages, which established persistent connections to command-and-control (C2) servers via hard-coded SMTP credentials. This allowed the malware to communicate covertly through email, sending stolen data and receiving further instructions. The RAT’s capabilities included executing arbitrary shell commands, which could install additional malware, exfiltrate sensitive files, or even pivot to other systems within a network. The attack’s scale is alarming: with over a million weekly downloads across the affected packages, countless developers and end-users could be impacted, from small startups to large enterprises relying on React Native for mobile and web applications.

What makes this attack particularly insidious is its timing and execution. Malicious package versions were published just hours before detection, exploiting the trust developers place in automated dependency updates. Many development pipelines automatically pull the latest package versions, allowing the malicious code to spread rapidly before mitigation efforts could begin. This highlights a critical vulnerability in the open-source ecosystem, where speed and convenience often outpace security scrutiny.

The Rising Threat of Supply Chain Attacks

Supply chain attacks have become a preferred tactic for cybercriminals due to their cascading impact. Recent incidents, such as compromised Magento extensions, PyPI packages, and RVTools installers, demonstrate how attackers target widely-used software components to maximize damage. In 2024 alone, over 1,200 supply chain attacks were reported, a 40% increase from the previous year, according to industry reports. The Gluestack NPM Attack fits this pattern, exploiting the interconnected nature of software development where a single compromised library can affect thousands of downstream applications.

The consequences of such attacks are far-reaching. For businesses, a compromised dependency can lead to data breaches, intellectual property theft, or ransomware deployment. For example, a retail company using a compromised Gluestack package in its mobile app could inadvertently expose customer payment information, leading to financial losses and regulatory penalties. For developers, the reputational damage of deploying insecure code can erode trust with clients and users. As the number of open-source packages grows—NPM alone hosts over 2 million packages—the attack surface expands, making supply chain security a critical priority.

Why Open-Source Ecosystems Are Vulnerable

Open-source software, while a cornerstone of modern development, is inherently vulnerable to supply chain attacks. Many packages are maintained by small teams or individual contributors who lack the resources to implement robust security measures. Additionally, the trust-based model of open-source repositories, where packages are assumed to be safe, creates opportunities for attackers to publish malicious versions or compromise legitimate maintainers’ credentials. The Gluestack NPM Attack exploited this trust, as developers unknowingly integrated the tainted packages into their projects.

The proliferation of Internet of Things (IoT) devices further complicates the threat landscape. Many IoT systems rely on open-source libraries for their software, and a compromised library could turn a smart device into a vector for network attacks. For instance, a smart home system using a vulnerable Gluestack package could allow attackers to access connected cameras or sensors, compromising user privacy. With over 30 billion IoT devices projected globally by 2030, securing the software supply chain is no longer optional—it’s a necessity.

Actionable Steps to Protect Against Supply Chain Attacks

To mitigate the risks of supply chain attacks like the Gluestack NPM Attack, businesses and developers must adopt a proactive, multi-layered approach to cybersecurity. Here are seven essential steps to safeguard your systems:

  • Vet Third-Party Dependencies: Use tools like Snyk, Dependabot, or npm audit to scan open-source packages for known vulnerabilities before integration. Implement version pinning to prevent automatic updates to unverified package versions.
  • Monitor for Malicious Activity: Deploy real-time monitoring tools to detect suspicious behavior, such as unexpected network traffic to unknown servers or unauthorized file changes. Solutions like intrusion detection systems (IDS) can flag anomalies indicative of a RAT.
  • Patch and Update Promptly: Ensure all software, including dependencies, is updated to the latest secure versions. Set up automated alerts for new package releases and verify their integrity before deployment.
  • Adopt a Zero-Trust Approach: Treat all components, even those from trusted sources, as potential risks. Use code signing and checksum verification to ensure package authenticity.
  • Secure Development Pipelines: Implement secure CI/CD practices, such as scanning dependencies during builds and restricting access to package registries. Use private registries for critical projects to reduce exposure.
  • Engage Cybersecurity Experts: Partner with cybersecurity firms to conduct regular audits and penetration testing. Aikido Security’s timely detection of the Gluestack NPM Attack limited its impact, demonstrating the value of expert vigilance.
  • Educate Development Teams: Train developers on secure coding practices and the risks of supply chain attacks. Encourage a culture of security awareness to reduce human error.

The Broader Implications for Cybersecurity

The Gluestack NPM Attack is a wake-up call for the tech industry. As software supply chains become more complex, the need for collaboration between developers, enterprises, and cybersecurity professionals grows. Industry standards, such as the Software Bill of Materials (SBOM), can enhance transparency by documenting all components in a software project, making it easier to identify and mitigate risks. Governments are also taking action: in 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued guidelines for securing open-source software, emphasizing the importance of community-driven threat intelligence.

Businesses must also consider the financial and reputational costs of supply chain attacks. A single breach can result in millions of dollars in damages, from incident response to legal fees and lost customer trust. For example, the 2020 SolarWinds attack, another high-profile supply chain breach, cost affected companies an average of $12 million, according to IBM’s Cost of a Data Breach Report. By investing in proactive cybersecurity measures now, businesses can avoid these catastrophic consequences.

Secure Your Supply Chain Today

The Gluestack NPM Attack illustrates that no part of the software supply chain is immune to cyber threats. Whether you’re a developer relying on open-source libraries or a business deploying IoT devices, now is the time to act. Don’t let RATs infiltrate your systems and compromise your data. Contact our cybersecurity experts for a free consultation to assess your supply chain security. We’ll help you audit dependencies, secure your development pipelines, and implement a zero-trust strategy to protect your business. Click here to get started.