gluestack-ui
gluestack-ui and react-native-aria npm packages trojanized
Beginning 2025-06-06 at 16:33 EST, an attacker who obtained a Gluestack publishing token pushed malicious updates to 17 packages across the @gluestack-ui and @react-native-aria scopes — starting with @react-native-aria/focus 0.2.10 and continuing over the next ~36 hours. The payload was appended to `lib/index.js` after large blocks of whitespace and acted as a remote-access trojan capable of running shell commands, file upload/download, and on Windows hijacking Python by editing PATH. Combined weekly downloads exceeded one million. Aikido Security identified the backdoor on 2025-06-08 and Gluestack revoked the token.
- Date
- 2025-06-06 to 2025-06-08
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Compromised credentials
What Was Affected
Package
gluestack-ui
Languagejavascript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/gluestack/gluestack-ui
Compromised Versions
Incident Context
- Motive
- Remote access
- Attribution
- Unknown attacker
- Transitive
- No
- User Impact
- 1000000
- Observed Duration
- 2 days
External References
Source Data
Source record: oss/gluestack-ui/meta.yaml