- Imikhankaso eminingi isebenzise kabi amaphakheji e-React Native npm kanye namathuluzi, kusukela ezingxenyeni ze-UI kuya kuzinsiza ze-CLI, ngokuthatha i-akhawunti kanye nokubhala phansi.
- Abahlaseli basebenzisa kakhulu i-malware eyinkimbinkimbi enezigaba eziningi besebenzisa i-Solana noma i-C2 ehlukaniswe ngokwezigaba, beqondisa imishini yonjiniyela, amapayipi e-CI kanye nedatha yesikhwama noma yokuqinisekisa.
- Abathengisi bezokuphepha manje bathembele ekuhlaziyweni kwe-AI, ukuhlolwa kokuphola kanye nokulawulwa kokuphuma kwe-CI okuqinile ukuze babambe futhi balawule lokhu kuhlaselwa kwe-supply-chain ngemizuzu embalwa.
- Amaqembu e-React Native kumele ahlanganise ukuhlanzeka okuqinile kokuxhomekeka, i-npm 2FA, ama-lockfiles kanye nokuqapha okuqhubekayo ukuze kuncishiswe ngokunenjongo ingozi yokunikezela.
I-React Native isibe uhlaka olusetshenziswa kakhulu ekwakheni izinhlelo zokusebenza zeselula, okwenza uhlelo lwayo lwe-npm lube yisisulu esikhangayo kakhulu sabahlaseli abafuna ukulimaza imishini yonjiniyela kanye namapayipi e-CI. Eminyakeni embalwa edlule, imikhankaso eminingana eyinkimbinkimbi kakhulu isebenzise kabi amaphakheji e-React Native athembekile, amathuluzi adumile azungeze uhlaka, ngisho nezinsiza zokubhala ukuze kutshalwe i-malware, kwebiwe iziqinisekiso, kukhishwe izikhwama zemali futhi kubhujiswe amaphrojekthi e-JavaScript ngezinga elikhulu.
Uma wakha noma ulondoloza izinhlelo zokusebenza ze-React Native namuhla, akusanele nje ukufaka i-npm bese uthemba okuhle kakhulu. Abadlali abaningi abasongelayo basebenzisa kabi i-npm ngokuhlelekile, beqondisa yonke into kusukela ezingxenyeni ze-UI kuya kumathuluzi e-CLI, ngisho negrafu yokuxhomekeka eguqukayo efihlakele ekujuleni kwamafayela akho okukhiya. Lesi sihloko sihamba ngezehlakalo ezinkulu ezaziwayo, sihlaziya indlela i-malware esebenza ngayo, futhi sibeka izinyathelo ezisebenzayo ongazithatha ukunciphisa i-blast radius endaweni yakho yokuthuthukisa.
Ukuthathwa kwe-akhawunti kanye ne-malware kuzingxenye zokufaka ze-React Native
Esinye sezigameko ezesabekayo kakhulu zokuthengiswa kwempahla ezweni le-React Native sithinte izingxenye ezimbili ze-UI ezivame kakhulu zokukhetha ifoni nezwe: react-native-international-phone-number futhi react-native-country-select. Womabili amaphakheji, agcinwe ngumbhali ofanayo (@AstroONauta, umsebenzisi we-npm astroonauta), iqoqe amashumi ezinkulungwane zokulandwa kwamasonto onke futhi ifakiwe ezinhlelweni zokusebenza eziningi zeselula zokukhiqiza.
Ngomhlaka-16 Mashi 2026, i-Package Analyst esekelwe ku-AI ye-StepSecurity yaba ngowokuqala ukubona ukuthi izinguqulo ezintsha zalawa malabhulali zivele zathola i-malware ngesikhathi sokufaka. Ukukhishwa okufakwe engcupheni ngokushesha kwaba react-native-international-phone-number@0.11.8 futhi react-native-country-select@0.3.91Izinguqulo zokugcina eziqinisekisiwe ezihlanzekile ngaleso sikhathi zaziyi 0.11.7 futhi 0.3.9 ngokulandelana.
Umnyango wokuqala wangemuva (i-Wave 1) wawulula kakhulu: omusha preinstall iskripthi kanye ne-ficfuscated kakhulu install.js ifayela elihlanganiswe ku-tarball. Unya package.json Isiqephu sibukeka kanje:
"scripts": { "preinstall": "node install.js" }
Ngoba izikripthi ze-npm lifecycle zisebenza ngokuzenzakalelayo npm install, noma ubani okhipha lezi zinguqulo - endaweni noma ku-CI - usebenzise i-malware ngaphandle kokungenisa noma iyiphi ikhodi. Kwakungekho ma-Git tag ahambisanayo, ukukhishwa, noma ukusebenza komsebenzi we-CI kwezinguqulo ezonakele, kanye gitHead kufane nokukhishwa okuhle kwangaphambilini, isibonakaliso esinamandla sokuthi umhlaseli uthole ukufinyelela kokushicilela okuqondile ku-akhawunti yomnakekeli we-npm esikhundleni sokushintsha i-GitHub repo.
Idatha yokulanda ngaleso sikhathi igcizelela ukuthi lokhu bekungaba kubi kangakanani: cishe ukulanda okungu-9,000 masonto onke react-native-country-select futhi abangaphezu kuka-20,000 react-native-international-phone-number, kwenezelwa ukulanda okufika ku-130,000 ngenyanga phakathi kwalokhu okubili. Lolu uhlobo lokuthembela okubonakalayo okuncane, okunamandla amakhulu, okutholakala buthule ezinkulungwaneni zemishini yonjiniyela kanye ne-CI.
Ukuhlasela kwamagagasi amathathu: kusukela ekufakweni kusengaphambili okusobala kuya kumaketanga okuthembela ayimfihlo
Umkhankaso wokulwa nala maphakheji e-React Native wenzeka ngamagagasi amathathu ahlukene, ukuphindaphinda ngakunye kugwenywa kakhulu kunokokugcina ngenkathi kusetshenziswa i-malware efanayo eyinhloko. I-StepSecurity ilandelele ukuvela cishe ngesikhathi sangempela futhi yahlanganiswa nomgcini, kodwa umhlaseli uphinde wabuyisa noma wagcina ukufinyelela ku-akhawunti ye-npm esengozini.
I-Wave 1 (Mashi 16, 2026) igxile ngqo preinstall i-hook kuzo zombili amaphakheji. Kungakapheli nemizuzu emihlanu kusukela kushicilelwe, i-AI ye-StepSecurity iveze ukuthi ukukhishwa okusha kubalulekile, futhi izinkinga zavulwa ku-GitHub: #165 ye react-native-international-phone-number kanye no-#11 we react-native-country-selectUmgcini wezinhlelo uphendule ngokushesha, elahla izinguqulo ezinonya futhi ecindezela ukuhlanza react-native-country-select@0.4.0Isikhathi esiphelele kusukela ekushicilelweni kuya ekususweni kolwazi sasicishe sibe amahora ama-2 nemizuzu engama-21 - ngokushesha ngokwezindinganiso zemvelo.
Naphezu kwalokhu, umhlaseli akazange alahlekelwe ukulawula iziqinisekiso ze-npm, okwaholela ku-Wave 2 ngoMashi 17. Esikhundleni sokuphinda aphonse iskripthi esisobala emaphaketheni ayinhloko, umlingisi osongelayo wahlela amaphakheji amabili amasha ahlanganisiwe ukuze asebenze njengengqalasizinda efihliwe:
@usebioerhold8733/s-format@2.0.1- i-clone engenalutho yestring-formatngepostinstall: "node init.js"iskripthi kodwa anginasoinit.jsifayela, ukuze i-hook yehluleke buthule.@agnoliaarisian7180/string-argv@0.3.0– iphakheji ecishe ingabi nalutho (README, LICENSE, package.json) enhloso yayo yangempela kwakuwukuthembela kuyo kuphela@usebioerhold8733/s-format, enekheli lomgcini elisekelwe ku-ProtonMail.
Kamuva ngalobo busuku, react-native-international-phone-number@0.12.1 yanyatheliswa nge @agnoliaarisian7180/string-argv@0.3.0 kwengezwe njengokuxhomekeka okusha, futhi ngaphandle komsebenzi we-GitHub Actions. Ngaleso sikhathi uchungechunge lwaluhlelwe kodwa alusebenzi, lulinde ukuthi umthwalo uvulwe. Lapho iStepSecurity ibika ngokungavamile, umgcini waqinisekisa lokho okwakuvele kusobala ezintweni zobuciko: "i-akhawunti yami ye-npm yahlaselwa futhi umtapo wolwazi wathathwa".
I-Wave 3 (Mashi 18) ishintshe ingqalasizinda ehleliwe yaba uchungechunge olusebenzayo lwezinhlelo eziningi zokulethwa kwe-malware bese ilulungisa ngokushesha. Izinguqulo ezintsha zamaphakheji okudlulisa kanye nomtapo wolwazi oyinhloko zaphushwa zingakapheli ihora, umhlaseli ephinda echaza indlela umthwalo okhokhelwayo owaqalwa ngayo.
Uchungechunge lokugcina lubukeke kanje:
react-native-international-phone-number@0.12.2/0.12.3 → @agnoliaarisian7180/string-argv@latest → @usebioerhold8733/s-format@latest → postinstall → node child.js → init.js (malware)
Umhlaseli waqala ukuvula umthwalo womthwalo @usebioerhold8733/s-format@2.0.2 ngokungeza okukhulu, okufiphele init.js ifayela elaliyi-byte for byte elifana nelangaphambilini install.js kusukela ku-Wave 1. Base beshintsha postinstall ukubiza child.js esikhundleni se init.js, eshicilelwe 2.0.3 ngeskripthi esingekho (okunye ukugijima okomile), futhi ekugcineni sathunyelwa 2.0.4 ngengane encane child.js ilori ehlola nje init.js futhi ikwenza nge child_process.exec ngenkathi kulahla amaphutha kanye nomphumela we-stderr.
Ngesikhathi esifanayo, @agnoliaarisian7180/string-argv@0.3.1 ivule ukuthembela kwayo s-format kusukela enguqulweni ephiniwe kuya "latest", Futhi react-native-international-phone-number@0.12.2 wenze okufanayo string-argv. Lokhu kwakha uchungechunge oluyingozi oluzibuyekezayo lapho ukufakwa ngakunye kwephakeji eyinhloko kudonsa ngokuzenzakalelayo inguqulo entsha yokulayisha.
Ekugcineni, react-native-international-phone-number@0.12.3 isuse i-preinstall hook engadingeki manje (ukuze ibukeke ihlanzekile), yagcina uchungechunge lokuxhomekeka oluyingozi, futhi yashintsha i-imeyili yomgcini we-npm yaba enye i-akhawunti ye-ProtonMail engekho ngaphansi kombhali wokuqala. Lokho kwakuyisibonakaliso esicacile sokuthi umhlaseli wayehlanganisa ukulawula okuqhubekayo kobunikazi be-npm, hhayi nje ukusebenzisa kabusha ithokheni elivuvukile ngendlela enenzuzo.
Ngaphakathi kwe-malware esekelwa yi-Solana eqondiswe kubathuthukisi be-React Native
Ngaphansi kwe-hood, umthwalo okhokhelwayo osebenza kuzo zonke izigaxa ezintathu kwakuyi-malware efanayo eyinkimbinkimbi enezigaba eziningi ehlukumeza i-blockchain ye-Solana njengesiteshi sokulawula nokulawula esinamandla. Indlela yokulethwa yayilokhu ishintsha, kodwa “isikhali” sahlala sifana kuzo zonke iziphindaphindo, saze saba yi-byte nge-byte ifayela elifanayo lapho lidluliselwa kusuka ku-Wave 1 laya engqalasizinda ye-Wave 3.
Iskripthi siqala ngokubambezeleka ngamabomu kwemizuzwana eyi-10 kusetshenziswa setTimeout, icebo elijwayelekile lokugwema i-sandbox. Ama-sandbox amaningi azenzakalelayo namathuluzi okuphepha anikeza izikripthi ifasitela elifushane lokwenza ngaphambi kokunquma ukuthi akukho lutho olusolisayo olwenzekile, ngakho-ke i-malware imane izilinde ngaphambi kokwenza noma yini ethakazelisayo.
Okulandelayo, yenza isihlungi se-geo ukuze igweme ukuthelela izinhlelo eRussia nasezingxenyeni ze-CIS. Ihlola iziguquguquko zemvelo ezifana LANG, LANGUAGE, LC_ALL, ulwazi lomsebenzisi we-host, indawo yesikhathi yesistimu ngisho nama-offset e-UTC angavuthiwe, afuna amanani abonisa indawo yesiRashiya (njenge ru_RU or Russian) noma olunye lohlu lwezindawo zesikhathi zaseRussia/ze-CIS. Uma noma yikuphi kwalokhu kufana, iskripthi siphuma ngokushesha nangokuthula.
Kuphela uma imvelo idlula lokho kuhlola lapho i-malware iqala khona ukukhuluma ne-blockchain ye-Solana. Iphethe ikheli lesikhwama semali elibhalwe ngekhodi eqinile futhi ibuza ngalo nge- getSignaturesForAddress Indlela ye-JSON‑RPC kuzo zonke izindawo zokugcina eziyisishiyagalolunye ze-Solana RPC ezisingathwe abahlinzeki abahlukahlukene. Lo mklamo unikeza umhlaseli ukutholakala okuphezulu futhi wenza ukuvimba okulula kwesizinda noma i-IP kungasebenzi.
Icebo liwukuthi umhlaseli ufihla i-URL yomthwalo wesigaba esilandelayo ngaphakathi kwensimu yememo yokuthengiselana kukaSolana kuleso sikhwama. Imemo igcina inqwaba ye-base64-encoded JSON equkethe i-JSON. link Insimu iqukethe i-URL yesigaba esilandelayo. Ngokuthumela ukuthengiselana okusha, umqhubi angazungeza i-URL yomthwalo nganoma yisiphi isikhathi ngaphandle kokushintsha amaphakheji e-npm ashicilelwe.
Uma i-URL isikhishiwe, i-malware yenza isicelo se-HTTP kuseva yomhlaseli ku- http://45.32.150.251/, ukuthumela uhlobo lwe-OS ngokwezifiso os i-header ukuze i-C2 ikwazi ukubuyisela ama-binary athile epulatifomu. Umzimba wempendulo uphethe umthwalo okhokhelwayo obethelwe, kodwa ukhiye we-AES‑256 kanye ne-IV okudingekayo ukuze ususwe ukubethela kuthunyelwa kuphela kuma-header e-HTTP (secretkey futhi ivbase64), ngakho-ke noma iyiphi idatha yomzimba egciniwe noma ethintekile ayisebenzi ngokwayo.
Isigaba sesibili esisusiwe ukubethela asikaze sithinte idiski; senziwa ngenkumbulo nge eval(atob(...)) kuzinhlelo ezifana ne-Unix noma nge- vm.Script ku-Windows enokufinyelela okugcwele ku-Node internals. Ngemuva kwalokho, i-malware ilahla i- ~/init.json ifayela lomaka eligcina isitembu sesikhathi kanye nesihlonzi esiyingqayizivele ukuze umshini ofanayo ungaphinde utheleleke ngaphezu kwesisodwa njalo emahoreni angu-48. Lokho kunciphisa izinga kunciphisa kakhulu umsindo futhi kunikeza abavikeli izinkomba ezimbalwa zokuziphatha abangabambelela kuzo.
I-payload yesigaba sesithathu ekhishwe ku-AES, etholwe abacwaningi ngokudlala kabusha izinyathelo ezifanayo ze-Solana ne-HTTP, iyisitifiketi esigxile ku-Windows kanye ne-wallet stealer plus loader. Kusungula ukuphikelela schtasks futhi Run ukhiye wokubhalisa, ukulanda amamojula engeziwe abethelwe kusuka ku- 45.32.150.251, futhi ikhipha i-loot ephumayo iye ku-IP ebangeni elingu-217.69.3.x.
Lo mthwalo wokukhokha uhlola idatha evela kuma-wallet edeskithophu kanye nezandiso zesiphequluli ezifana ne-MetaMask, i-Phantom, i-Exodus, i-Atomic, i-Guarda, i-Coinomi, i-Daedalus, i-OKX Wallet, i-Trust Wallet, i-Braavos nokuningi, uhamba phakathi kwamafolda ephrofayela yesiphequluli kanye nezinhlu ze-wallet zendawo ngemuva kokuvala ngenkani i-Chrome ne-Firefox. Ngaphezu kwalokho, idonsa amathokheni e-npm kanye neziqinisekiso ze-GitHub ngqo kusuka kubasizi bokucushwa kwendawo kanye neziqinisekiso, iguqula amabhokisi onjiniyela abe yiziqeshana zokuqalisa eziphelele zokuhlaselwa okwengeziwe kwe-supply-chain.
Okuphawulekayo ukuthi i-malware ilanda ngisho nezikhathi zayo zokusebenza ze-Node.js (v22.9.0) kokubili i-x86 ne-x64 ku- %APPDATA%\_node_x86 futhi %APPDATA%\_node_x64, ukuqinisekisa ukuthi inendawo yokusebenza ehambisanayo ngisho nalapho i-Node ingafakwanga ohlelweni oluqondiwe.
Izixhumanisi ze-ForceMemo kanye nomlingisi osongelayo we-GlassWorm
Iminwe yobuchwepheshe yalesi sigameko se-React Native npm ihambisana kahle nomkhankaso wangaphambilini obizwa ngokuthi “ForceMemo”, owabeka engcupheni amakhulu ezindawo zokugcina zePython ku-GitHub. Zombili lezi zinhlelo zisebenzise iSolana njenge-dead-drop C2, iqembu elifanayo lama-RPC endpoints ayisishiyagalolunye, ifomethi yememo ye-JSON efanayo ene- link insimu, i-Russia/CIS geofiltering logic efanayo, efanayo ~/init.json ukukhiya okuqhubekayo kanye nezindawo ezifanayo zengqalasizinda ezibanjwe ku-Vultr.
Nakuba amakheli esikhwama semali sikaSolana ehlukene phakathi kwale mikhankaso emibili, konke okunye kukhomba kumlingisi oyedwa onekhono eliphezulu, okukholakala ukuthi yiqembu elaziwa ngokuthi iGlassWorm. I-ForceMemo ihlose onjiniyela ngokusebenzisa ama-repo e-GitHub anobuthi, kuyilapho isigameko se-React Native senza kanjalo ngamaphakheji e-npm kanye nezintambo zawo zokuthembela. Isu licacile: sebenzisa kabusha uhlaka lwe-malware oluyinkimbinkimbi, oluyi-modular kodwa uluxhume eziteshini ezahlukene zokusabalalisa ukuze ufinyelele ezindaweni eziningi zokuthuthukiswa ngangokunokwenzeka.
Eminye imikhankaso ye-npm enonya ezungeze i-React Native kanye ne-JavaScript
Ukuvumelana kwe-AstroOONAuta kuyingxenye eyodwa nje yegagasi elibanzi lokuhlaselwa okusekelwe ku-npm okuthinta izinhlelo zokusebenza ze-React Native ngqo noma ngokungaqondile. Abathengisi bezokuphepha abaningana babhale imikhankaso efanayo egxile kulabhulali ye-React Native UI, amathuluzi e-CLI ayisisekelo, ngisho nama-plugin okwakha ajwayelekile ama-codebase amaningi e-React Native athembele kuwo.
I-Aikido Security yathola umsebenzi omkhulu wochungechunge lokuphakelwa ngo-Juni 2025 owavula okungenani amaphakheji angu-16 ahlobene ne-React Native ngaphansi kwe- @react-native-aria/* ububanzi kanye @gluestack-ui/utils, ndawonye kunikezwa cishe ukulanda kwesigidi ngesonto. Ukwephulwa kokuqala kwenzeke ngomhlaka-6 Juni 2025, kwaqala ngo @react-native-aria/focus@0.2.10, bese yanda ngokushesha ku-focus eyengeziwe, i-overlay, i-interactive, i-toggle, i-switch, i-checkbox, i-radio, inkinobho, imenyu, i-listbox, amathebhu, i-combobox, i-definement, i-slider, amaphakheji e-separator kanye nezinsiza ze-GlueStack ngoJuni 7.
I-malware kulowo mkhankaso kwakuyi-Remote Access Trojan (RAT) eyenzelwe izindawo ze-Windows, eqhubeka ngaphansi kwe- %LOCALAPPDATA%\Programs\Python\Python3127 nokuxhuma kumaseva e-C2 ku- 136.0.9[.]8 futhi 85.239.62[.]36. Amandla ayo ahlanganisa ukwenziwa komyalo ngokungahleliwe, ukulayisha/ukulanda amafayela kanye nokufinyelela kude kwesikhathi eside. Ukuphikelela kwakusho ukuthi ukuthuthukela nje enguqulweni ehlanzekile yomtapo wolwazi we-React Native akuzange kuhlanze imishini esevele inegciwane.
Omunye umkhankaso oqhubeka isikhathi eside odalulwe yi-Socket's Threat Research Team usebenzise ukubhala amagama kanye nokulingisa ukutshala amaphakheji abhubhisayo aqondisa ngokusobala izinhlaka zeJavaScript ezidumile njenge-React, Vue, Vite kanye ne-Quill. Umlingisi osongelayo, esebenzisa igama elithi npm xuxingfeng, yashicilela ingxube yamaphakheji asemthethweni nanobungozi eminyakeni engaphezu kwemibili, yakha umbono ongaphandle wokuba ngumnakekeli othembekile.
Amaphakheji afana vite-plugin-bomb, vite-plugin-bomb-extend, vite-plugin-react-extend, vite-plugin-vue-extend futhi vue-plugin-bomb zaklanyelwe hhayi ukweba idatha kodwa ukonakalisa noma ukubhubhisa amaphrojekthi. Basebenzise ukuhlaselwa kwezigaba eziningi okubangelwa izinsuku ezithile, besusa amafayela ohlaka olubalulekile ngaphansi node_modules (Vue, React, Vite, TypeScript, Ant Design Vue, Pinia, ECharts nokuningi), ngezinye izikhathi kubhangqwe nokuvalwa kwesistimu okuphoqelelwe njalo ngomzuzwana kusetshenziswa shutdown -s -t 5.
Iphakheji eyodwa embi kakhulu, js-hood, kuphazanyiswe ngama-prototypes ayinhloko e-JavaScript afana nalawa Array.prototype.filter, map, push, pop futhi amaningi String Izindlela, esikhundleni sazo ngemisebenzi ebonakala isebenza ngokwenziwa kodwa ibuyisa idatha engahleliwe. Lokhu kuphumela ezinhlelweni zokusebenza eziqhubeka nokusebenza kodwa zikhiqize imiphumela eyonakele, enganqunyelwe okunzima kakhulu ukuyilungisa.
The quill-image-downloader uchungechunge luye kolunye uhlangothi, lugxile ekubhujisweni kwesitoreji ohlangothini lwamakhasimende. Ithumele ukwakheka kwamafayela amathathu, ngemva kosuku oluthile lokusebenzisa, okuphindaphinda phezu kwazo zonke izinkinobho ku localStorage, sessionStorage namakhukhi, bese ehlanganisa amanani awo kancane ngezinhlamvu ezingahleliwe ngenkathi elondoloza isakhiwo. Amathokheni okuqinisekisa, izinqola zokuthenga, izintandokazi zomsebenzisi nanoma yisiphi isimo sesiphequluli sonakala kancane, okubangela ukwehluleka okungapheli amaqembu amaningi angakuqala ngokuthi kubangelwa amaphutha ohlelo lokusebenza.
Ucwaningo oluhlukile oluvela ku-OP Innovate luveze iqoqo lamaphakheji ayishumi e-npm anonya azenza amalabhulali adumile njenge-TypeScript, discord.js, ethers.js, nodemon, react-router-dom futhi zustand. Uma sezifakiwe, lawa maphakheji abonisa ifasitela le-CAPTCHA elingamanga, afake izigxivizo zeminwe kumphathi futhi alande i-cross-platform info stealer enkulu evela ku-C2 ku- 195.133.79.43, futhi ngokusekelwa okucacile kweWindows, macOS kanye neLinux.
Ekugcineni, umkhankaso we-CanisterWorm, ochazwe kabanzi yi-Aikido, ubonise ukuthi abahlaseli bazimisele kangakanani ukusebenzisa i-npm njengemoto yokulethwa. Amaphakheji angaphezu kuka-135 avela ku-akhawunti yomshicileli esengozini ahlonyiswe ngezikripthi zesikhathi sokufaka ezisebenza ngaphambi kwanoma iyiphi ikhodi yakho yohlelo lokusebenza noma izinyathelo zokwakha. Izigaba zakamuva ziziphatha ngendlela ehlukile kuye ngokuthi zifika ebhokisini lonjiniyela lendawo, umsebenzi we-CI, noma i-node yokwakha equkethe izitsha, futhi zikhuluma ne-Internet Computer (ICP) canister esebenza njenge-C2 eyimfihlo - evumela opharetha ukuthi bashintshe ukuziphatha ngokushesha ngaphandle kokuthinta irejista ye-npm futhi.
Ubuthakathaka obubalulekile ekusetshenzisweni kwamathuluzi e-React Native: i-Community CLI RCE
Akuzona zonke izingozi zokuphepha ze-React Native ezivela kumaphakheji anonya; ezinye zivela ebuthakathakeni obukhulu kumathuluzi asetshenziswa kabanzi. Icala elilodwa eliphawulekayo yi-CVE‑2025‑11953 ku-React Native Community CLI, iphakheji edonswa izigidi zezikhathi isonto ngalinye ngabathuthukisi ku-Windows, macOS kanye ne-Linux.
Leli phutha livumele ukwenziwa kwekhodi ekude okungagunyaziwe (i-RCE) ngezicelo ze-POST ezenziwe ngobuciko kuseva yokuthuthukiswa kwendawo eqalwe yi-CLI. Ngenxa yokuthi onjiniyela abaningi baveza amaseva abo e-metro/dev kunethiwekhi ukuze balungise amaphutha noma bahlole idivayisi yeselula, umhlaseli oseduze (noma umuntu ongakwazi ukuhambisa ithrafikhi kulawo machweba) angasebenzisa imiyalo engadingekile emshinini wonjiniyela.
Umthelela udlulela ngale kwendawo yokusebenza eyodwa yonjiniyela: Uma umhlaseli esenekhodi esetshenzisiwe ebhokisini lonjiniyela, angangena kumanethiwekhi ezinkampani, asuse iziqinisekiso, akhe ubuthi noma alawule amapayipi e-CI/CD avumelanisa kusuka kulowo mshini. Kuyisibonelo sencwadi yokuthi "ithuluzi lonjiniyela lendawo" liyingxenye kanjani yendawo yakho yokuhlasela yokukhiqiza uma usebenza ezinhlelweni ezixhunywe efwini.
Ukunciphisa okunconywayo kulula kodwa akunakuxoxiswana ngakho: buyekeza ku-React Native Community CLI 12.5.1 noma ngaphezulu, amalogi okuhlola ezicelo ze-POST ezisolisayo noma izinqubo ezingalindelekile eziphakanyiswe yiseva yonjiniyela, ukukhawulela ukufinyelela kumaseva endawo nokugoqa amathuluzi onjiniyela esu lakho lokuthola usongo. Phatha noma iyiphi i-DevOps noma i-endpoint yonjiniyela njengethagethi enenani eliphezulu, ngoba yilokho kanye abahlaseli banamuhla abakubonayo.
Indlela abavikeli abaphendule ngayo: Ukuhlaziywa kwe-AI, ukupholisa kanye ne-CI eqinile
Okuhle kulezi zindaba ukuthi umphakathi wezokuphepha uyashesha futhi uthuthuke kakhulu ekubambeni izinsongo zokunikezela nge-React Native kanye nendawo ebanzi yeJavaScript. Amathuluzi afana ne-StepSecurity, i-Socket kanye ne-Aikido Security atshala imali eningi ekuhlaziyweni kokuziphatha, ukuhlukanisa okuzenzakalelayo kanye namamodeli okufunda komshini askena ukukhishwa okusha kwe-npm kungakapheli imizuzu yokushicilelwa.
Ekuhlaselweni kwe-AstroOONAuta, i-AI Package Analyst ye-StepSecurity ithole izinguqulo ezinonya ngaphansi kwemizuzu emihlanu, yavula izinkinga ze-GitHub ngokuphazamiseka okugcwele kobuchwepheshe, futhi kamuva yabika amaphakheji engqalasizinda omhlaseli ku-npm ukuze asuswe. Ithimba libhale phansi igagasi ngalinye, lalandela amakhanda e-git, lahlaziya ikhodi efihliwe, labonisa ubufakazi bokusetshenziswa kwe-Solana C2 futhi lanikeza umgcini isiqondiso sokulungisa isinyathelo ngesinyathelo.
Ngaphandle kokutholwa, izilawuli zokuvimbela seziqala ukuthola ukudonswa kwepayipi le-CI. Isibonelo, i-StepSecurity's npm Package Cooldown Check ivumela izinhlangano ukuvimba ukuncika okwashicilelwa emahoreni ambalwa edlule, okwenzela isikhathi ama-scanner nabantu ukuthi bawahlole. Izibuyekezo zabo eziphazamisekile zihlola izinkomba ezihambisanayo ukuphakelayo okuvuselelwa njalo kwamaphakheji aziwayo amabi futhi zehluleke ama-PR azama ukuwangeza noma ukuwathuthukisa.
Amathuluzi okuqwashisa ngenethiwekhi njenge-Harden Runner akhawulela ukuxhumana okuphumayo ku-GitHub Actions kanye neminye imisebenzi ye-CI ohlwini oluvunyelwe lwama-endpoints alindelekile. Ezweni lapho i-malware ilanda khona imithwalo ekhokhelwayo kuma-node e-Solana RPC, ama-URL e-Google Calendar, ama-Vultr IP ranges noma ama-ICP canisters, ukukhiya ukuphuma ohlelweni lwakho lokwakha kungaba umehluko phakathi kwe-package diff embi kanye nokungena okugcwele.
Ngasohlangothini lwempendulo, izici ezifana nokusesha amaphakheji enhlanganweni yonke kanye nezikhungo zosongo kusiza amaqembu ukuthi asheshe ahlele i-radius yokuqhuma. Lapho nje iphakheji noma i-plugin ye-React Native ethintekile itholakala, amaqembu okuphepha angabona ukuthi yiziphi izindawo zokugcina, amagatsha kanye namafayela okukhiya afaka phakathi, ukuthi yimiphi imisebenzi eyenzile nokuthi yimiphi imishini ekhulume nama-IP asolisayo - bese ebeka phambili ukulungiswa ngokufanele kuma-codebases amaningi noma amakhulu.
Izenzo ezisebenzayo zamaqembu e-React Native abhekene ne-malware ye-npm
Kwabathuthukisi be-React Native kanye nonjiniyela bezokuphepha ngokufanayo, ukuzivikela ekuhlaselweni kwezinga le-npm kumayelana nokuhlanganisa inhlanzeko emishinini ngayinye nezithiyo zokuvikela ku-CI/CD kanye nokuphathwa kokuxhomekeka. Akukho ukulawula okukodwa okuzokusindisa, kodwa ukuzivikela okunezingqimba kunciphisa kakhulu amathuba okuthi iphakheji enonya ibe yisivumelwano esiphelele.
Uma usebenzisa amaphakheji asengozini okukhulunywe ngawo ngaphambili, kunezinye izindlela zokuhlola ngokushesha okufanele zenziwe. Ngesigameko se-AstroONauta, pin react-native-international-phone-number ukuze inguqulo 0.11.7 futhi react-native-country-select kuya 0.4.0, ukugwema zonke izinhlobo ezimakwe njengezinonya noma ezixazulula @latest okwamanje okuholela ekukhishweni okusengozini.
Hlola isiqondisi sakho sasekhaya ukuthola ifayela eliqanjwe ngegama init.json ngaphansi kwephrofayela yomsebenzisi (isibonelo ~/init.json ku-Unix kanye ~\init.json ku-Windows). Ukuba khona kwayo kusikisela ukuthi i-malware esekelwe eSolana isetshenziswe okungenani kanye. Futhi hlola amalogi enethiwekhi aphumayo avela ezindaweni zokusebenza zonjiniyela kanye nama-CI runners ukuze uthole ukuxhumana ku- 45.32.150.251, ama-endpoints e-Solana RPC asetshenziswe emikhankasweni, noma amanye amakheli e-C2 acashunwe ngaphambilini (isb. 136.0.9[.]8, 85.239.62[.]36, 195.133.79.43, 217.69.3.152).
Hlola wakho node_modules kanye namafayela okukhiya okuxhomekeka kokubikezela njenge @agnoliaarisian7180/string-argv, @usebioerhold8733/s-format nabanonya @react-native-aria/* or @gluestack-ui/utils izinguqulo ezisohlwini lwezeluleko. Uma uthola noma yikuphi kwalokhu, phatha umshini njengosengozini futhi ujikeleze zonke iziqinisekiso ezibucayi: amathokheni e-npm, amathokheni okufinyelela e-GitHub, okhiye be-SSH, okhiye bomhlinzeki wefu nanoma yiziphi izimfihlo ezikhona ku .env noma amafayela okulungiselela ngesikhathi sokufaka.
Uma ubheke phambili, qinisa ukuma kwakho kweketanga lokuphakelwa komsebenzi we-React Native: hlala uzibophezele futhi uphoqelele amafayela okukhiya (package-lock.json, yarn.lock, pnpm-lock.yaml), vumela i-2FA kuwo wonke ama-akhawunti e-npm anamalungelo okushicilela, bese ulungiselela i-CI yakho ukuthi yehluleke ukwakha lapho kuvela ukuncika okusha ngaphandle kokubuyekezwa. Cabanga ukusebenzisa i- --ignore-scripts lapho ufaka amaphakheji enkampani yangaphandle ezimweni ezingathembekile, kanye namathuluzi okuskena okuxhomekeka kokubili emisebenzini yendawo kanye ne-CI.
Okokugcina, phatha izindawo zokuthuthukiswa - ikakhulukazi lezo ezisetshenziselwa izinhlelo zokusebenza ze-React Native ezihlanganisa ama-API eselula, ewebhu kanye ne-backend - njengengxenye yendawo yakho yokuhlasela yokukhiqiza. Kungakhathaliseki ukuthi usongo luwukuthathwa kwe-akhawunti okuletha i-malware esekelwa yi-Solana engxenyeni yokufaka ifoni, i-plugin ye-Vite ebhalwe ngephutha isusa i-React kusuka ku- node_modules, i-Quill integration enonya ehlasela isitoreji esiseceleni kweklayenti, noma i-RCE ku-React Native Community CLI, intambo evamile ukuthi abahlaseli manje babona ukusebenzisa amathuluzi onjiniyela njengenye yezindlela eziphumelela kakhulu zokungena emaguguni enhlangano yakho.
