Supply Chain Attack on NPM Packages

In June 2025, a significant supply chain attack on the NPM ecosystem was uncovered, primarily affecting multiple React-Native Aria packages that had been tampered with to distribute a Remote Access Trojan (RAT). The malicious code was embedded in seemingly routine updates, beginning with @react-native-aria/focus version 0.2.10 and quickly spreading across related packages, many of which collectively record hundreds of thousands of weekly downloads. Once installed, the malware attempted to establish persistence on Windows systems by writing files to local directories and communicating with suspicious external IP addresses, posing risks of data theft and unauthorized access. Security researchers emphasized that this campaign is part of a growing trend in open-source software compromises, with attackers exploiting the trust placed in widely used packages to infiltrate development pipelines. Reports from security outlets also warned that dozens of other malicious packages were uploaded to NPM in the same period, with some targeting millions of developers worldwide by attempting to steal host, system, and network data. This coordinated incident underscores the critical importance of supply chain security, urging developers to validate dependencies, monitor package updates cautiously, and implement stricter protective measures against malicious code injections in open-source ecosystems.