Gluestack NPM Hack Hits 960,000 Weekly Downloads

A major supply chain attack has compromised 15 widely used Gluestack packages on the NPM registry, affecting libraries that collectively draw over 950,000 downloads each week. The affected packages were altered to include malicious code functioning as a remote access trojan (RAT), enabling attackers to potentially gain unauthorized control over systems running the compromised software.

The incident underscores the growing threat posed by software supply chain attacks, which can infiltrate trusted development tools and propagate through widely adopted open-source ecosystems. The malicious packages remained available long enough to pose a significant risk to developers and organizations relying on them for application development.

NPM, a central hub for JavaScript libraries, has seen a series of similar incidents in recent years, raising concerns about the security vetting processes for published packages. The breach involving Gluestack’s modules further highlights the ongoing challenges in securing open-source software dependencies across the global development community.