September 4, 2025

React Native ARIA & gluestack-ui Security Incident Report

Sanchit KumarBuilding gluestack-ui

Ujjwal AggarwalBuilding gluestack-ui

Gluestack Support TeamSupport Team

Incident ID: RN-ARIA-2025-001Date Published: September 4, 2025Incident Date: June 6-8, 2025

High SeverityResolved

Executive Summary

Bottom Line: While the attack was significant in scope, the impact to end users was minimal due to the frontend-only nature of React Native ARIA libraries and swift response actions. No system-level compromises have been confirmed based on current analysis.

On June 6, 2025, the React Native ARIA and gluestack-ui npm packages were compromised in a sophisticated supply chain attack that affected 17 packages with over 1 million combined weekly downloads. A threat actor gained unauthorized access to publishing credentials and injected Remote Access Trojan (RAT) malware into widely-used JavaScript packages. The incident was contained within 48 hours, with immediate remediation actions taken to protect the ecosystem.

Impact Overview

Packages Compromised

1M+

Weekly Downloads

Hours Exposure

Incident Timeline

June 6, 2025

21:33 GMT - Initial Compromise

Version 0.2.10 of
@react-native-aria/focus
published with malicious code
First package compromised after 8 months of inactivity
Previous version 0.2.9 released October 18, 2023

June 7, 2025

00:37-00:48 GMT - Attack Escalation

8 additional packages compromised in rapid succession:

@react-native-aria/utils (0.2.13)
@react-native-aria/overlays (0.3.16)
@react-native-aria/interactions (0.2.17)
@react-native-aria/toggle (0.2.12)
@react-native-aria/switch (0.2.5)
@react-native-aria/checkbox (0.2.11)
@react-native-aria/radio (0.2.14)
@react-native-aria/button (0.2.11)

14:28-14:46 GMT - Second Wave

7 additional packages targeted:

@react-native-aria/menu (0.2.16)
@react-native-aria/listbox (0.2.10)
@react-native-aria/combobox (0.2.8)
@react-native-aria/disclosure (0.2.9)
@react-native-aria/slider (0.2.13)
@react-native-aria/separator (0.2.7)
@gluestack-ui/utils (0.1.16, 0.1.17)

June 8, 2025

Early Morning - Discovery and Response

Aikido Security identifies and reports the compromise
@react-native-aria/tabs
(0.2.14) discovered to be compromised

01:22 GMT - Immediate Containment

All compromised package versions marked as deprecated on npm
Compromised access tokens revoked
GitHub repository access restricted

June 9, 2025

Public Disclosure

Public security incident disclosure
Full technical analysis published
Coordinated response with npm security team

Technical Analysis

Attack Vector

Root Cause

The compromise occurred through a leaked npm access token belonging to an authorized maintainer. The token lacked two-factor authentication protection.

The threat actor was able to:

Step 1:Publish malicious versions of existing packages
Step 2:Inject obfuscated RAT code into legitimate libraries
Step 3:Establish C&C infrastructure for remote access
Step 4:Deploy persistence mechanisms on compromised systems

Malicious Payload Analysis

Obfuscation Techniques

Whitespace-based hiding: Pushed malicious content off-screen
JavaScript obfuscation: Heavy encoding to evade detection
File padding: Obscured malicious modifications

RAT Capabilities

Command execution on infected systems
File operations: Upload/download functionality
System reconnaissance and metadata harvesting
Persistence mechanisms via fake Python directories

Command & Control Infrastructure

C2 Servers

Primary Infrastructure

136.0.9.8:3306

136.0.9.8:27017

Secondary Infrastructure

85.239.62.36:3306

85.239.62.36:27017

New Malware Capabilities

The attackers enhanced their RAT with two new commands:

ss_info

Harvests system metadata including OS info, Node.js version, script paths, and runtime context

ss_ip

Retrieves public IP address information via external API calls to ip-api.com

Impact Assessment

Scope of Compromise

Attack Scale

Packages: 17 compromised

Downloads: 1,020,000+ weekly

Exposure: ~17 hours

Risk Mitigation Factors

Why Impact Was Limited

Frontend-only libraries: React Native ARIA packages execute in browser/mobile contexts, not CLI or post-install scripts

Limited execution context: Malicious code requires specific runtime conditions to activate

Rapid containment: Swift response limited exposure window significantly

Confirmed Impact

✅ No confirmed system-level compromises reported
✅ No evidence of successful data exfiltration
✅ No reports of operational disruption from affected users

Indicators of Compromise (IoCs)

Compromised Package Versions

Check Your Dependencies

React Native ARIA Packages

@react-native-aria/focus@0.2.10
@react-native-aria/utils@0.2.13
@react-native-aria/overlays@0.3.16
@react-native-aria/interactions@0.2.17
@react-native-aria/toggle@0.2.12
@react-native-aria/switch@0.2.5
@react-native-aria/checkbox@0.2.11
@react-native-aria/radio@0.2.14
@react-native-aria/button@0.2.11
@react-native-aria/menu@0.2.16
@react-native-aria/listbox@0.2.10
@react-native-aria/tabs@0.2.14
@react-native-aria/combobox@0.2.8
@react-native-aria/disclosure@0.2.9
@react-native-aria/slider@0.2.13
@react-native-aria/separator@0.2.7

GlueStack Packages

@gluestack-ui/utils@0.1.16
@gluestack-ui/utils@0.1.17

Network Indicators

Monitor for These IPs

136.0.9.8:3306
136.0.9.8:27017

85.239.62.36:3306
85.239.62.36:27017

File System Indicators

Windows Persistence Path

%LOCALAPPDATA%\Programs\Python\Python3127

If you find any files in this location, your system may be compromised.

User Recommendations

Immediate Actions Required

1. Audit Package Dependencies

Check for compromised packages

npm list @react-native-aria/focus@0.2.10
npm list @gluestack-ui/utils@0.1.16
npm list @gluestack-ui/utils@0.1.17

Run security audit

npm audit --audit-level moderate

• Check package-lock.json and yarn.lock files
• Review dependency trees for affected packages
• Use package manager audit tools

2. Update to Safe Versions

Update all affected packages

npm update @react-native-aria/
npm update @gluestack-ui/

Verify package integrity

npm audit signatures

• Update to latest verified versions immediately
• Verify package integrity using npm checksums
• Test applications after updates

3. Security Assessment

• Review firewall logs for connections to identified C2 servers
• Scan systems for files in suspicious Python directory paths
• Monitor for unusual network traffic or system behavior
• Consider running endpoint detection tools

Response Actions

Immediate Response (June 8, 2025)

Access Control

Revoked all compromised npm access tokens

Removed npm publishing access for affected accounts

Revoked GitHub access for non-essential contributors

Package Management

Deprecated all compromised package versions

Updated latest tags to safe versions

Published clean replacement versions

Ongoing Security Improvements

Enhanced Security Measures

Technical Controls

Mandatory 2FA for all publishing
Verified commit signing requirements
Automated security scanning
Enhanced access logging

Process Controls

Pull request-based workflow
Mandatory code review gates
Controlled release pipelines
Regular security training

Prevention Measures

Technical Controls

Authentication

Mandatory 2FA for all publishing and repository access

Code Integrity

Cryptographic signing and continuous security scanning

Monitoring

AI-powered detection and threat intelligence integration

Acknowledgments

Special Thanks

• Aikido Security - For discovering and responsibly disclosing the compromise

• npm Security Team - For rapid response and coordination

• Security Community - For ongoing vigilance and support

• React Native ARIA Users - For patience during remediation

Contact Information

General Support: support@gluestack.io

GitHub: Repository

CVE Information

CVE ID:CVE-2025-XXXX (Pending)

CVSS Score:7.8 (High)

CWE:CWE-506

This report represents our current understanding of the incident based on available evidence. We will update this document as additional information becomes available.

React & React Native Components & Patterns

Created by

Resources

Products

Legals

Contact