Embedded Malicious Code Affecting @gluestack-ui/utils package, versions =0.1.16=0.1.17

@gluestack-ui/utils is an Utility functions used internally in gluestack-ui

Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a remote access trojan (RAT). A malicious actor compromised a public access token associated with one of Gluestack-UI’s contributors; This allowed the attacker to publish tampered versions of react-native-aria packages along with a @gluestack-ui/utils package to npm.

React Native ARIA is a frontend-only library. It does not execute any code in CLI or scripts post-install, meaning the likelihood of the malicious code executing on user systems is extremely low. This disclaimer is based on their current understanding of the issue and observed usage patterns. See https://github.com/gluestack/gluestack-ui/issues/2894#issuecomment-2955003750

According to the issue’s reporter, the obfuscated payload is designed to establish communications with an external server to receive commands that allow it to change the current working directory, upload files, and execute shell commands. The RAT will proceed to persist on the system through a file in the path %LOCALAPPDATA%\Programs\Python\Python3127 if on Windows. If you find any files in this location, you have been compromised and should no longer trust the system to be safe. 

Notes:

1. This issue is particularly relevant to Windows systems where Python is expected to be available.
2. The package was marked as deprecated; however, vulnerable versions were not removed from NPM.
3. The maintainers have chosen to revert the malicious releases to a clean, verified versions instead of publishing new fixed ones.

• GitHub Issue