react-native-international-phone-number npm account takeover
Part of the Glassworm hid credential theft in Unicode campaign
An attacker controlling the astroonauta npm account published malicious react-native-international-phone-number releases without matching GitHub releases, tags, or workflow runs.
Story
The first malicious release of react-native-international-phone-number, version 0.11.8, hit npm at 10:49 UTC on March 16, 2026, five minutes ahead of a matching backdoor in the companion package react-native-country-select. Both belonged to the same maintainer, AstrOOnauta, whose npm account had been taken over. Together the two packages drew roughly 130,000 monthly downloads and shipped in a long tail of React Native phone-input screens.
Researchers at Aikido, reporting the incident under the campaign name Glassworm, said 0.11.8 added a preinstall hook that ran a new install.js loader before npm finished installing. The prior 0.11.7 release carried no such hook. Aikido also noted that 0.11.8 still depended on the clean react-native-country-select 0.3.9, which meant this package had been directly backdoored rather than merely poisoned through its dependency.
The loader walked the same staged path as the companion package. It queried Solana RPC for a transaction memo, decoded a link out of it, fetched a second stage, and decrypted a third stage. The third stage pulled a Google Calendar share URL as a further indirection point before reaching attacker infrastructure at 45.32.150.251.
The recovered payload targeted Windows developer machines. It established persistence through a scheduled task and an HKCU Run key, wrote an init.json state file, downloaded Node.js runtimes into AppData, walked browser profile and crypto-wallet storage, collected npm and GitHub credentials, and posted the archive to the same C2. StepSecurity later tracked the same attacker republishing through 0.12.1, 0.12.2, and 0.12.3, moving delivery into a transitive dependency chain via @agnoliaarisian7180/string-argv and @usebioerhold8733/s-format to keep the loader out of the top-level package after the first round of deprecations.
Affected Artifacts
- Observed
- 2026-03-16 to 2026-03-18
- Fixed
- 0.11.7
- Hashes
-
- sha256:59221aa9623d86c930357dba7e3f54138c7ccbd0daa9c483d766cd8ce1b6ad26
- Evidence
- distribution: npmjs.com/package/react-native-international-phone-number/v/0.11.8, distribution: npmjs.com/package/react-native-international-phone-number/v/0.12.1, distribution: npmjs.com/package/react-native-international-phone-number/v/0.12.2, distribution: npmjs.com/package/react-native-international-phone-number/v/0.12.3 , +16 more
- Aikido reported react-native-international-phone-number@0.11.8 was published on March 16, 2026 at 10:49:29 UTC and had 20,691 weekly downloads and 92,298 monthly downloads when checked that day.
- Aikido noted 0.11.8 depended on react-native-country-select@0.3.9, the clean adjacent version, so the first-wave compromise was direct rather than inherited from react-native-country-select@0.3.91.
- StepSecurity later tracked additional malicious releases, including transitive delivery through @agnoliaarisian7180/string-argv and @usebioerhold8733/s-format.
Incident Context
- Motive
- Credential Theft
- Cause
- Compromised Account Credentials
- Transitive
- Yes
External References
- Malicious npm Releases Found in Popular React Native Packages - 130K Monthly Downloads Compromisedstepsecurity.io
- Malicious release report for react-native-international-phone-numbergithub.com
- Follow-up malicious release report for react-native-international-phone-numbergithub.com
- Glassworm Strikes Popular React Native Phone Number Packagesaikido.dev
Source record: oss/attacks/react-native-international-phone-number/meta.yaml