react-native-international-phone-number
react-native-international-phone-number npm account takeover
An attacker controlling the astroonauta npm account published malicious react-native-international-phone-number releases without matching GitHub releases, tags, or workflow runs. The first wave used a direct preinstall hook; later releases hid the same malware behind a dependency chain through @agnoliaarisian7180/string-argv and @usebioerhold8733/s-format. The final chain executed a detached JavaScript loader using a Solana wallet dead-drop C2, RPC fallbacks, geofiltering, encrypted payload delivery, and a local rate-limit file. The incident is notable for the attacker returning after disclosure and switching from obvious install hooks to transitive delivery.
- Date
- 2026-03-16 to 2026-03-18
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Credential theft
- Cause
- Compromised Account/Credentials
What Was Affected
Compromised Versions
Incident Context
- Motive
- Credential Theft
- Transitive
- Yes
- User Impact
- 0
- Observed Duration
- 2 days
Evidence
Compromised Artifacts
- npmjs.com/package/react-native-international-phone-number/v/0.11.8
- npmjs.com/package/react-native-international-phone-number/v/0.12.1
- npmjs.com/package/react-native-international-phone-number/v/0.12.2
- npmjs.com/package/react-native-international-phone-number/v/0.12.3
- npmjs.com/package/@agnoliaarisian7180/string-argv/v/0.3.0
- npmjs.com/package/@usebioerhold8733/s-format/v/2.0.4
External References
Source Data
Source record: oss/react-native-international-phone-number/meta.yaml