Glassworm Attacks Popular React Native Packages with npm Malware That Steals Credentials

On March 16, 2026, a coordinated supply chain attack hit the developer community This article explores backdoored popular react. . A hacker known as Glassworm backdoored two popular React Native npm packages, turning them into silent thieves of credentials and cryptocurrency.

The same publisher, AstrOOnauta, released the two affected packages, react-native-country-select@0.3.91 and react-native-international-phone-number@0.11.8, within minutes of each other. Together, they had more than 134,887 downloads in the month before the attack. Both packages can handle mobile UI tasks like entering a phone number and choosing a country, so many developers trust them to be reliable. The attack didn't require its targets to do anything special.

Any developer, CI runner, or build agent that ran a normal npm install command was enough to set off the malware.

Check the outbound network logs for connections to 45[.]32[.]150[. ]251 and 217[.]69[.]3[.]152. Auditing package lifecycle scripts and marking unexpected preinstall hooks in build environments lowers the risk of similar supply chain attacks.

To get more instant updates, follow ZeroOwl on LinkedIn, X, and Google.