Glassworm Malware Targets React Native npm Packages in Supply Chain Attack

Severity: High (Score: 75.0)

Sources: Aikido.Dev, Gbhackers, Cybersecuritynews

Summary

On March 16, 2026, two React Native npm packages, [email protected] and [email protected], were compromised in a supply chain attack attributed to Glassworm malware. The malicious versions included an install-time loader that executes a multi-stage Windows credential and crypto stealer during a routine npm install. The attack affected a significant number of developers, with the compromised packages reporting a combined total of 29,763 downloads in the last week. The malware's install script includes obfuscation and checks for Russian language and timezone signals, indicating a targeted approach. The attack highlights the risks associated with third-party package dependencies in software development. The original versions of the packages do not contain the malicious code, suggesting a specific compromise of the publisher's releases. The situation is ongoing as security professionals assess the impact and potential remediation strategies. Key Points: • Two popular React Native npm packages were backdoored with malware on March 16, 2026. • The malicious code executes during a routine npm install, affecting thousands of developers. • The malware includes geographic filters, indicating a targeted approach likely linked to Russian threat actors.

Key Entities

• Glassworm (malware)
• Malware (attack_type)
• Supply Chain Attack (attack_type)
• Russia (country)
• calendar.app (domain)
• nodejs.org (domain)
• T1003 - OS Credential Dumping (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1105 - Ingress Tool Transfer (mitre_attack)
• Node.js (tool)
• React Native (tool)
• Windows (platform)