Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised
Malicious releases were discovered in two popular React Native npm packages—react-native-international-phone-number and react-native-country-select—affecting packages with 130K+ monthly downloads combined. StepSecurity detected and reported the compromise on March 16, 2026, and immediately notified maintainers and the community.
- Disclosed
- Last updated
- Blast radius
- Popular React Native packages with 130K+ monthly downloads combined; widespread reach across React Native development community
- Ecosystems
- Attack vectors
- Affected entities
- react-native-international-phone-numbernpm package with 130K+ monthly downloads (combined with react-native-country-select)
- react-native-country-selectnpm package with 130K+ monthly downloads (combined with react-native-international-phone-number)
On March 16, 2026, StepSecurity Threat Intel detected malicious releases in two widely-used React Native npm packages: react-native-international-phone-number and react-native-country-select. These packages collectively have over 130,000 monthly downloads, indicating a significant potential user base for the compromise.
StepSecurity's AI-powered Package Analyst identified the compromised versions and filed security issues directly in both GitHub repositories to alert maintainers and the broader community. The vendor reported being the first to detect and report the incident, coordinating disclosure before other security vendors became aware.
The incident affects developers using these packages in their React Native projects. The extent of the payload and behavioral impact of the malicious versions is not detailed in the source material.
Indicators of compromise
- Packages
- react-native-international-phone-number
- react-native-country-select
Remediation
- Identify and audit all installations of react-native-international-phone-number and react-native-country-select in your projects
- Update to patched versions of both packages as released by maintainers
- Review logs and runtime behavior during the window when malicious versions may have been installed
- Re-evaluate your npm package supply chain security processes and consider automated detection tools
- Monitor npm for any further suspicious releases from these or related packages
Sources
Cite this entry
"Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed March 16, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/malicious-npm-releases-found-in-popular-react-native-packages-130k-monthly-downl-54qovl
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in @doaction/auth
Malware discovered in the npm package @doaction/auth. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in @doaction/shared
Malware was discovered in the npm package @doaction/shared. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in transacts
The npm package transacts was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys should be rotated immediately from a different computer, and the package should be removed.
npmCompromised package - containedcritical
Malware in buffer-utilities
Malware was discovered in the npm package buffer-utilities, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a clean system.
npmCompromised package