npm’s Trojan Phonebook: React Native Devs Unwittingly Deliver Credential-Stealing Malware

It started with a routine update - the kind of npm install command thousands of developers run every day. But in March 2026, that ordinary act became the opening move in a sophisticated supply chain heist, as trusted React Native packages silently transformed into credential-stealing malware delivery vehicles. The attackers weaponized popularity, slipping in their code under the radar and unleashing a multi-stage heist on unsuspecting Windows machines worldwide.

The Anatomy of a Silent Heist

The breach began when a threat actor compromised npm accounts linked to AstrOOnauta, releasing new “minor” versions of react-native-international-phone-number and react-native-country-select. These packages, boasting a combined 130,000 monthly downloads, became the perfect trojan horses. The attackers acted fast: clean versions were replaced with byte-identical malicious builds within minutes of each other.

The technical weapon? A newly added, heavily obfuscated preinstall script. This script, hidden in the package configuration, executed automatically - no user interaction required. Its first move: contacting a Solana blockchain endpoint, not for a crypto transaction, but to fetch a transaction memo containing a secret URL. This URL led to the next payload stage, where decryption keys unlocked a Windows-focused stealer.

Once inside, the malware established persistence by quietly editing scheduled tasks and registry keys. To further mask its tracks, it used a Google Calendar URL to receive final instructions, adding an extra layer of indirection that would challenge even seasoned threat hunters.

The payload was precise in its targets. It scanned for browser profiles in Chromium and Firefox, zeroing in on extensions like MetaMask, Phantom, and Trust Wallet - all prime cryptocurrency targets. It didn’t stop at digital wallets; npm registry tokens and GitHub credentials were also in its crosshairs, threatening organizational supply chains at their roots.

But not all victims were equal. The malware checked system settings for Russian language or time zones. If detected, it exited quietly - a classic move seen in campaigns by Russian-speaking cybercriminals, who often avoid attacks on home turf.

Indicators of compromise, including hashes and suspicious domains like socket.network and n.xyz, have been published. Security experts urge developers to audit their environments, pin dependencies to clean versions, and rotate any exposed credentials immediately.

Reflections: Trust, but Verify

This incident is a stark reminder: in the world of open source, trust is a double-edged sword. The convenience of shared code comes with risk, and attackers are increasingly adept at exploiting the invisible supply lines that power modern development. For every developer, vigilance is now as essential as innovation.

WIKICROOK

• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.
• npm: npm is a central online library where developers share, update, and manage JavaScript code packages to build software efficiently and securely.
• Preinstall Script: A preinstall script is code that runs automatically before a package installs, often for setup tasks, but it can be misused for malicious purposes.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
• Indicator of Compromise (IOC): An Indicator of Compromise (IOC) is a clue, like a suspicious file or IP address, that signals a system may have been hacked.