Open Source 2026-03-16 · 2 days ·Credential Theft

react-native-country-select npm account takeover

Part of the Glassworm hid credential theft in Unicode campaign

The astroonauta npm account takeover also compromised react-native-country-select, a direct dependency of react-native-international-phone-number.

Story

On the morning of March 16, 2026, an attacker who had taken over an npm account belonging to the maintainer AstrOOnauta published a malicious version of react-native-country-select, a React Native picker library used by tens of thousands of mobile apps each month. The release, 0.3.91, went live at 10:54 UTC, five minutes after the attacker had pushed a matching backdoor into the companion package react-native-international-phone-number.

Researchers at Aikido, who reported the incident under the campaign name Glassworm, said the change at the package boundary was small: one new install.js loader file and a single preinstall lifecycle hook that ran it before npm finished the install. The adjacent 0.3.9 release was clean, which made the diff easy to read.

The loader itself was the interesting part. It queried Solana RPC with getSignaturesForAddress to look up a transaction memo, decoded a URL out of the memo, and fetched a second stage. From there the chain ran through AES-decrypted JavaScript and a Google Calendar share URL used as a further indirection point before reaching attacker infrastructure at 45.32.150.251 and 217.69.3.152. The same loader hash appeared in both React Native packages compromised that morning.

The recovered payload was a Windows-focused stealer. Aikido said it established persistence through a scheduled task and an HKCU Run key, wrote an init.json guard to avoid re-execution, downloaded Node.js runtimes into AppData, killed browser processes before walking profile and wallet storage, and posted the harvested archive to the same C2. StepSecurity tracked the attacker returning over the following two days with additional releases (0.4.1 and 0.4.2) that pushed delivery deeper into transitive dependencies through @agnoliaarisian7180/string-argv and @usebioerhold8733/s-format. The combined react-native-country-select and react-native-international-phone-number packages drew roughly 130,000 monthly downloads at the time of compromise.

Affected Artifacts

react-native-country-select

npm · repository · Source Archive

Observed: 2026-03-16 to 2026-03-18
Compromised Versions: 0.3.91

0.4.1

0.4.2
Fixed: 0.4.0
Hashes: sha256:59221aa9623d86c930357dba7e3f54138c7ccbd0daa9c483d766cd8ce1b6ad26
Evidence: distribution: npmjs.com/package/react-native-country-select/v/0.3.91, distribution: npmjs.com/package/react-native-country-select/v/0.4.1, distribution: npmjs.com/package/react-native-country-select/v/0.4.2, distribution: npmjs.com/package/@agnoliaarisian7180/string-argv/v/0.3.0 , +15 more

Aikido reported react-native-country-select@0.3.91 was published on March 16, 2026 at 10:54:18 UTC and had 9,072 weekly downloads and 42,589 monthly downloads when checked that day.
StepSecurity later tracked additional malicious releases, including transitive delivery through @agnoliaarisian7180/string-argv and @usebioerhold8733/s-format.

Incident Context

Motive: Credential Theft
Cause: Compromised Account Credentials
Transitive: Yes

External References

Malicious npm Releases Found in Popular React Native Packages - 130K Monthly Downloads Compromisedstepsecurity.io
Malicious release report for react-native-country-selectgithub.com
Glassworm Strikes Popular React Native Phone Number Packagesaikido.dev

Source record: oss/attacks/react-native-country-select/meta.yaml