react-native-country-select
react-native-country-select npm account takeover
The astroonauta npm account takeover also compromised react-native-country-select, a direct dependency of react-native-international-phone-number. The first malicious release used a visible preinstall hook; after deprecation, the attacker retained access and republished through a transitive dependency chain that resolved to @usebioerhold8733/s-format. That chain executed the same detached JavaScript malware and Solana blockchain C2 used in the first wave. During the incident, @latest resolved to compromised 0.4.2, exposing users of both packages.
- Date
- 2026-03-16 to 2026-03-18
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Credential theft
- Cause
- Compromised Account/Credentials
What Was Affected
Package
react-native-country-select
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Compromised Versions
Incident Context
- Motive
- Credential Theft
- Transitive
- Yes
- User Impact
- 0
- Observed Duration
- 2 days
Evidence
Compromised Artifacts
External References
Source Data
Source record: oss/react-native-country-select/meta.yaml