Supply Chain Attack Hits Gluestack NPM Packages with Million Weekly Downloads

Figure 1: Visual representation of the BeyondTrust vulnerability chain

The attack timeline began on June 6, 2025, when an attacker gained access to a Gluestack maintainer's NPM access token. Using this token, the attacker published new versions of 17 packages containing malicious code. The first compromised package version was published at 4:33 PM EST on June 6.

Aikido Security's automated malware detection system flagged the suspicious packages within hours. Charlie Eriksen, a security researcher at Aikido, filed GitHub issue #2894 on the gluestack-ui repository on June 7, 2025, titled "Packages have been compromised." The issue detailed the technical findings and provided indicators of compromise.

Gluestack responded rapidly to the disclosure. The company confirmed the breach in a statement, explaining that an NPM access token had been compromised. Gluestack revoked the token, deprecated all affected package versions, and published clean versions to replace the malicious ones. The GitHub issue was subsequently closed after remediation was complete.

According to BleepingComputer, the affected packages had accumulated over one million weekly downloads combined, making this one of the more significant NPM supply chain attacks in terms of potential reach.

Aikido Security's technical analysis revealed that the malicious code established a connection to a command-and-control server at IP address 85.239.62[.]36 on port 3306. The malware used the socket.io-client library to maintain persistent communication with the attacker's infrastructure.

The RAT payload included capabilities for remote shell command execution and file upload functionality. According to Aikido's analysis, the malware could execute arbitrary commands on infected systems and exfiltrate files to the attacker-controlled server.

Researchers also identified a Windows-specific persistence mechanism. The malware created a fake Python directory at %LOCALAPPDATA%\Programs\Python\Python3127 and modified the system PATH environment variable to include this directory. This technique, known as PATH hijacking, allows the malware to intercept legitimate program executions.

The malicious code was injected into the packages' postinstall scripts, meaning the payload would execute automatically when developers ran npm install on projects using the affected packages.

Figure 2: How the authentication bypass vulnerability works

The rapid detection and response to this incident demonstrates the value of automated security monitoring for package registries. Aikido's detection system identified the compromise within hours of the malicious packages being published, limiting the window of exposure.

Gluestack's transparent communication and swift remediation provides a model for how maintainers should respond to supply chain compromises. The company acknowledged the breach publicly, provided technical details to help affected users, and deprecated malicious versions promptly.

The incident reinforces the importance of security practices such as using lockfiles (package-lock.json or yarn.lock) to pin dependency versions, which would have prevented automatic installation of the compromised versions for existing projects.

The attack exploited a fundamental weakness in the NPM ecosystem: the trust placed in package maintainers and their access credentials. A single compromised access token enabled the attacker to push malicious code to over one million weekly downloads worth of packages.

Developers who installed or updated the affected packages during the compromise window may have executed the malicious postinstall scripts. The RAT's capabilities for remote command execution and file exfiltration pose significant risks to affected systems, particularly in development environments that may have access to source code, credentials, and production infrastructure.

The Windows PATH hijacking technique could persist on affected systems even after removing the malicious packages. Developers on Windows who installed the compromised versions should audit their PATH environment variable and check for the fake Python directory.

Detection of supply chain attacks remains challenging for individual developers. Without automated security scanning, the malicious code could have gone unnoticed for an extended period.

Figure 3: Privilege escalation from user to SYSTEM level

NPM supply chain attacks exploit the trust model of package management systems. When developers add a dependency to their project, they implicitly trust that the package maintainer has not included malicious code. NPM packages can include lifecycle scripts, such as postinstall, that execute automatically during installation.

In this attack, the malicious code was embedded in the postinstall script of each compromised package. When a developer ran npm install, the script executed with the permissions of the user running the command. The script then established a WebSocket connection to the attacker's server using the socket.io-client library.

The RAT architecture followed a client-server model. The infected system acted as a client, connecting to the command-and-control server and awaiting instructions. The server could send commands for the client to execute, including shell commands and file upload requests.

The PATH hijacking technique on Windows works by creating a directory containing malicious executables with names matching legitimate programs. By prepending this directory to the PATH environment variable, the operating system will execute the malicious version when a user or script invokes the program by name.

Technical context (optional): The use of port 3306, typically associated with MySQL, may have been an attempt to disguise the malicious traffic as database communication. The socket.io-client library provides WebSocket functionality with automatic reconnection, making it suitable for maintaining persistent command-and-control channels.

NPM supply chain attacks have become an increasingly common vector for distributing malware. The JavaScript ecosystem's reliance on numerous small packages creates a large attack surface. A single compromised maintainer account can affect thousands of downstream projects.

The Gluestack incident follows a pattern of attacks targeting popular packages with high download counts. Previous incidents have affected packages such as event-stream, ua-parser-js, and coa. Each incident prompts renewed discussion about the security of open source supply chains.

Package registries including NPM have implemented various security measures, such as two-factor authentication requirements for maintainers of popular packages. However, access token compromise remains a viable attack vector, as tokens may be stored in CI/CD systems, developer machines, or other locations where they can be stolen.

The incident underscores the tension between the convenience of automatic dependency updates and the security risks they introduce. Organizations must balance the benefits of receiving security patches quickly against the risk of automatically installing compromised code.

Confirmed:

• 17 Gluestack NPM packages were compromised with RAT malware
• The compromise occurred on June 6, 2025, starting at approximately 4:33 PM EST
• An NPM access token was compromised, enabling the attack
• The malware communicated with a server at 85.239.62[.]36:3306
• Gluestack revoked the token and deprecated affected versions
• The GitHub issue (#2894) documenting the compromise has been closed

Unclear:

• How the NPM access token was initially compromised
• The total number of systems that installed the malicious packages during the compromise window
• Whether any systems were actively exploited via the RAT capabilities
• The identity or motivation of the attackers
• Whether any data was exfiltrated from affected systems

Gluestack may release additional details about the root cause of the token compromise and any additional security measures being implemented. Developers should monitor the gluestack-ui GitHub repository for security advisories.

Organizations using Gluestack packages should audit their systems for indicators of compromise, including network connections to the identified command-and-control IP address and the presence of the fake Python directory on Windows systems.

The NPM security team may provide additional guidance or implement new protections in response to this incident. Package registry security remains an active area of development across the JavaScript ecosystem.

Security researchers may publish additional technical analysis of the malware payload, providing more detailed indicators of compromise for defenders.

1. BleepingComputer - "Gluestack NPM packages with 1M weekly downloads compromised with RAT malware" - June 7, 2025 - https://www.bleepingcomputer.com/news/security/gluestack-npm-packages-with-1m-weekly-downloads-compromised-with-rat-malware/

2. Aikido Security Blog - "Catching a RAT: Remote Access Trojan - Gluestack NPM Packages Compromised" - June 7, 2025 - https://www.aikido.dev/blog/catching-a-rat-remote-access-trojan-gluestack-npm-packages-compromised

3. GitHub Issue #2894 - "Packages have been compromised" - gluestack/gluestack-ui - June 7, 2025 - https://github.com/gluestack/gluestack-ui/issues/2894