Researchers have identified a significant supply chain attack affecting GlueStack packages that enables attackers to execute various malicious activities on infected machines. The malware injected into these packages allows for remote commands, screenshots, and file uploads, potentially facilitating cryptocurrency mining and data theft. The first incident of compromise was reported on June 6, 2025. With nearly 1 million weekly downloads across affected packages, the scope and implications of this attack are considerable, and the tactics employed resemble previous attacks against other npm packages, indicating a persistent threat in the ecosystem.
The compromise of GlueStack packages enables attackers to execute shell commands, capture screenshots, upload files, and potentially mine cryptocurrency or steal sensitive information.
Over a dozen packages were targeted, collectively having nearly 1 million weekly downloads, increasing the risk and impact of the supply chain attack on developers.
The malicious code introduced has parallels to the earlier compromise of 'rand-user-agent', suggesting the same threat actors may be involved in both incidents.
Collection
[
|
...
]