Hijacked npm Packages Deliver Malware via Solana, Linked to Glassworm
By Sonatype Security Research Team
6 minute read time
Sonatype Security Research has identified two hijacked npm packages in the React Native ecosystem that receive more than 30,000 downloads collectively per week and were modified to deliver multi-stage malware. Sonatype is tracking the malicious packages as sonatype-2026-001153.
Researchers at StepSecurity first reported this incident, identified the malicious releases, and notified the package maintainer, who promptly deprecated the packages. Analysis of the payload infrastructure showed that the IP addresses contacted by the packages overlap with infrastructure previously associated with the Glassworm campaign.
The attack highlights a known (and especially concerning) trend in software supply chain attacks, in which threat actors compromise trusted packages and embed sophisticated command-and-control mechanisms designed to evade detection.
The malicious versions of the two React Native packages were discovered during Sonatype's ongoing monitoring of open source ecosystems. Both packages have since been removed from npm, but given their popularity in the React Native ecosystem, the incident raises concerns about the potential impact on developer environments and build pipelines.
Glassworm Is Evolving: Hackers Hijack npm Packages
StepSecurity initially analyzed this incident, and their researchers reported the malicious releases and notified the package maintainer, @AstrOOnauta.
Sonatype Security Research later reviewed the compromised packages to better understand the embedded malware behavior. Analysis showed the malicious code was implemented within an install.js script that executes during installation. The script retrieves command data from the Solana blockchain before downloading and executing a second-stage payload capable of running arbitrary code on affected systems.
The affected libraries were previously legitimate and widely used React Native packages, making this incident an example of a package hijacking attack.
We summarize the compromised packages below:
| Package | Typical Use in React Native Apps | Malicious Version | Weekly Downloads |
| react-native-country-select | Provides UI components that allow users to select countries in mobile applications (commonly used in registration, profile, and localization features). | v0.3.91 | ~20,000 |
| react-native-international-phone-number | Provides input and formatting utilities for international phone number fields in mobile applications. | v0.11.8 | ~10,000 |
Attribution remains under investigation, but the observed IP addresses associated with the packages have been previously linked to Glassworm activity.
Why Are Hijacked npm Packages So Dangerous for Developers?
Unlike typosquatting or dependency confusion attacks, hijacked packages are previously trusted libraries that suddenly become compromised after a new version is published with malicious code.
In this case, the compromised libraries serve as workhorse packages for mobile applications. Packages like these help developers quickly add polished country selectors and international phone number input fields to forms — features commonly used in account creation, user profiles, and onboarding flows. While these utilities may not be flashy, they are essential building blocks that save developers time and effort when building production-ready mobile interfaces.
Many development environments automatically install the latest compatible dependency versions, meaning teams using "latest version" strategies may have unknowingly pulled the compromised packages during routine updates.
Supply chain attacks that compromise trusted packages are particularly dangerous, because they leverage the implicit trust developers place in widely used open source packages. A single malicious update can propagate quickly across thousands of development environments.
What Makes This npm Malware Attack Unique?
This malware stands out for two key reasons: targeted execution logic and the use of blockchain infrastructure as a command channel.
Targeted Execution Designed to Avoid Russian Systems
The malicious code deliberately avoids executing on systems configured for the Russian language.
After installation, an embedded install.js script automatically runs and performs a series of environment checks before continuing execution:
-
The script waits approximately 10 seconds after installation, before beginning its checks.
-
It inspects several system attributes to determine the host environment, including username, locale variables, system timezone, and UTC offset.
-
If the environment appears to be Russian, the malware immediately exits and does not continue executing.
This type of language-based filtering is commonly used by Russian-speaking threat actors to avoid attention from domestic law enforcement.
Multi-Stage Malware Delivery Using the Solana Blockchain
If the environment passes the initial checks, the malware proceeds with a multi-stage payload process. The compromised packages act as droppers, retrieving additional instructions and payloads from attacker-controlled infrastructure.
The payload retrieval process works as follows:
-
The script creates a file named init.json in the user's home directory to prevent execution more than once within roughly two days.
-
The script polls Solana RPC endpoints every 10 seconds for transactions associated with a specific wallet address.
-
When a transaction containing a memo field is found, the script treats the memo as a command container.
-
A numeric prefix is removed, and the remaining content is parsed as JSON configuration data.
-
The JSON contains a base64-encoded URL pointing to a second-stage payload.
-
The script decodes the URL and downloads the payload, sending the host operating system as part of the request.
-
Response headers provide additional parameters, such as ivbase64 and secretkey.
-
The payload is base64-decoded and executed directly in memory using eval or a Node.js vm sandbox on non-macOS systems.
Using the Solana blockchain memo field as a decentralized command channel allows attackers to distribute instructions without relying on a traditional command-and-control server, making the attack harder to disrupt.
Mitigation and Recommended Actions
Developers who installed the affected package versions should take immediate action.
We strongly recommend removing the compromised packages entirely. However, because these packages function as droppers, they may have already downloaded additional malicious software onto the affected host.
Any system that installed or executed the malicious versions should therefore be treated as compromised. Security teams should investigate for signs of additional malicious activity and remediate any secondary payloads as appropriate.
Because this incident involved compromised versions of otherwise legitimate packages, organizations should also verify that their applications and build processes use uncompromised versions of these dependencies.
Securing Software Supply Chains with Sonatype Guide
Developers increasingly rely on automation and AI-assisted tools to select open source dependencies, making visibility into package safety and quality more important than ever.
Sonatype Guide provides developers and AI coding tools with real-time intelligence about open source packages to help identify safer, well-maintained packages earlier in the development process.
Additional technical details about this incident, including Sonatype's research findings, are available free.
Written by Sonatype Security Research Team
Sonatype's Security Research Team is focused on bringing real-time, in-depth intelligence and actionable information about open source and third party vulnerabilities to Sonatype customers.
Explore All Posts by Sonatype Security Research TeamTags
