A threat actor compromised 16 highly popular React Native and GlueStack packages, collectively downloaded over a million times weekly. The attackers inserted a stealthy backdoor into these packages using whitespace obfuscation to hide malicious code. The payload is a Remote Access Trojan (RAT) similar to one previously deployed in the rand-user-agent compromise, enabling the attacker to execute arbitrary commands, exfiltrate data, and establish persistent C2 communication with hardcoded servers.
The attackers demonstrated sophistication by introducing version-based C2 server switching and expanding the RAT’s functionality with new commands such as ss_info (system metadata collection) and ss_ip (external IP reporting). The backdoor is capable of installing dependencies like axios and socket.io-client, interacting with a remote C2, performing file uploads, and executing shell commands. Persistence mechanisms were also introduced, particularly targeting Windows systems via the %LOCALAPPDATA%\Programs\Python\Python3127 path.