New NPM Supply Chain-Attack Hits 187 Packages — Here’s Why Mobile Apps Are Still at Risk

Executive Summary

Last week, we reported on a near-miss incident involving npm software supply-chain attacks impacting mobile applications. Unfortunately, a new wave of NPM supply chain compromises has been discovered affecting 187 packages including critical frameworks used in mobile app development. 

The good news? Our ongoing analysis of public mobile apps from the Google Play and Apple App Store shows no direct usage of these packages yet. The bad news? This only addresses half of the mobile security picture. 

Modern mobile apps rely heavily on backend services, developer tools and third-party backend services, all of which are increasingly at risk, creating an indirect but equally dangerous attack vector for the mobile ecosystem. Lastly, we discuss an often overlooked risk: a supply-chain attack on the mobile application that results in near-zero visibility using traditional backend security approaches, a scenario that looks increasingly likely with current trends.

The Expanding Attack Surface: New Compromised Packages

Following our earlier analysis of the September 8 NPM supply-chain attack that compromised packages with over 2 billion weekly downloads, security researchers have now identified an additional 187 npm packages (and counting) with malicious code injections. This new wave particularly targets various development ecosystems, including:

• NativeScript Ecosystem: Over 20 packages from @nativescript-community/* including core UI components, SQLite implementations, and gesture handlers
• Angular Mobile Components: Multiple Angular packages including angulartics2, @nstudio/angular, and DevExtreme Angular implementations
• React Native Adjacent: Packages like @teselagen/react-table, react-jsonschema-form-conditionals, and various React component libraries
• Cordova/Hybrid App Tools: config-cordova, cordova-plugin-voxeet2, and related VoIP implementations

Particularly concerning are compromised packages from Crowdstrike that appear to be part of their development infrastructure components. Bad actors could be intentionally targeting security vendors to exploit the privileged position a security tool may have in their customers/ infrastructure.

• CrowdStrike packages: @crowdstrike/commitlint and @crowdstrike/falcon-shoelace

While mobile applications may be in the clear now, backend infrastructure is a critical yet often overlooked attack vector.

The Backend: Why Mobile Apps Are Still at Risk

The Flip Side of Mobile Security

While mobile applications may be in the clear now, backend infrastructure is a critical yet often overlooked attack vector. Modern mobile applications are complex beasts that tap into very sensitive user information with access to the most sensitive of user data, from photos, user locations, user contacts and even health data that ultimately rely on a backend server as broker. 

Such backend infrastructure includes:

• API servers and microservices: Can be built with Node.js and npm packages
• Developer tooling: Build systems, CI/CD pipelines and testing frameworks, especially including the GitHub Actions ecosystem
• Shared infrastructure: Backend services often run alongside other applications and services
• Content Management Systems: Mobile apps can pull content from CMS platforms powered by npm packages

Modern cloud architectures often run multiple services on shared infrastructure:

• Kubernetes clusters: Mobile backends share pods with web services
• Serverless functions: Lambda functions for mobile and web share environments
• Container orchestration: Docker Swarm or ECS tasks running multiple services
• Shared databases: Mobile and web apps often use the same data stores

A compromised npm package in any colocated service can potentially access:

• Shared environment variables
• Network traffic between services
• Mounted volumes and file systems
• Service mesh communications

Developers Are the New Attack Vector

The S1ngularity/nx attackers have weaponized npm into a self-replicating worm that turns developer machines into attack platforms. Unlike previous supply-chain attacks that required manual propagation, “Shai-Hulud” automatically spreads from a single compromised developer to other packages they maintain.

Attack Scenarios from Compromised Packages

The malicious code in these packages can be used to:

• Steal environment variables: Including API keys, database credentials, and authentication secrets from the developer’s machine or the supporting infrastructure
• Intercept network traffic: Potentially accessing mobile app API communications
• Modify Response Data: Altering what mobile apps receive from backend services
• Exfiltrate Sensitive Data: User information, authentication tokens, and session data

Consider this attack chain:

1. A compromised npm package in your stack steals AWS credentials
2. Attackers gain access to your S3 buckets containing mobile app infrastructure configuration or data storage
3. Push notification keys, API endpoints and feature flags potentially exposed
4. Mobile apps continue functioning normally while attackers harvest user data

Additionally, many mobile applications host dynamic mobile application code and through the use of WebView technology, many applications have dynamic behavior that could be sent from the server to the endpoint. This code can access native mobile OS services and user data.

Client-Side Compromise: The Silent Threat

A particularly insidious aspect of these supply-chain attacks is their ability to create invisible data collection points within the application itself, operating completely outside traditional server-side security visibility. When a compromised package infects a mobile app or its web components, it can inject code that intercepts data at multiple points in the client-side flow — capturing user inputs before encryption, copying API responses after decryption, or duplicating authentication tokens during storage operations. 

For example, a malicious package embedded in a React Native app could hook into the fetch() API or XMLHttpRequest, silently copying every API request and response to an attacker-controlled endpoint while still allowing the legitimate traffic to flow normally to your servers. From the backend’s perspective, everything appears normal— requests arrive with proper authentication, responses are delivered successfully and security logs show no anomalies. 

The server has no way to detect that the malicious code on the client side has already captured credit card numbers from form inputs before they were encrypted, scraped authentication tokens from AsyncStorage, or copied sensitive user data from API responses. This client-side shimming is particularly dangerous in mobile apps where security teams have limited runtime visibility compared to server environments, and where legitimate functionality like analytics SDKs and crash reporters have already normalized the practice of client-side data collection, making malicious data exfiltration nearly indistinguishable from legitimate telemetry. Lastly, while mobile RASP solutions may attempt to protect against different types of threats, the malicious supply-chain component is in the same address space and can completely evade this technology. Therefore a strong defense would also be to monitor your application behavior with real device testing.

Conclusion

While our analysis showed mobile applications haven’t yet incorporated these specific malicious package versions directly, this should provide little comfort. The backend services, development tools, and infrastructure that mobile apps depend on are actively under attack.

The compromised packages represent a danger to mobile ecosystems — not just through direct infection, but through the compromise of the server-side infrastructure that mobile apps inherently trust. On the flip side, investing entirely on backend infrastructure monitoring could miss a dependency that only exists on the user’s endpoint. Every API call from a mobile app to an attacker-controlled backend is a potential data breach that never touches your existing security infrastructure. And unfortunately CI/CD pipelines with infected packages can inject malware into future app releases and must be considered.

Mobile security must encompass:

• Full stack visibility: From the app’s vulnerabilities, data privacy, to API and supporting infrastructure
• Supply-chain Integrity: Every npm package is a potential threat vector, as are unfortunately maven (Java), Swift and Cocoapod ecosystems for mobile.
• Backend security parity: Backend services continue to need the same scrutiny as mobile apps, but a potential attack where the malicious component is only ever on the client-side is a potential blind spot for many organizations.

Continuous monitoring: Real-time monitoring of the app supply chain and compromises

What NowSecure Customers Should Do

NowSecure Platform users can take immediate action to validate exposure.

1. In NowSecure Platform, go to the Apps section in the top menu and locate the application you want to validate.
2. Click on the app’s name, find the most recent assessment, and select View Report.
3. In the left-hand menu, navigate to Observations, expand the Code Quality section, and click on Software Components.
4. Use the search function to filter by each known vulnerable NPM package, and compare the compromised versions with those found in your app.

Recommendations for Mobile Dev & AppSec Teams

For Mobile Development Teams

1. Audit Your Stack: mobile app dependencies and backend infrastructure dependencies

bash

   # Check backend services
   npm audit --production
   
   # Check development dependencies
   npm audit --dev 

2. Implement Package Pinning: Reduce the risk by pinning dependencies to non-affected versions.

json

   {
     "overrides": {
       "@nativescript-community/sqlite": "<version>",
       "@crowdstrike/commitlint": "<version>"
     }
   }

3. Observe and Monitor for Unusual Behavior:
   • Unexpected outbound connections
   • Abnormal CPU/memory usage
   • New processes or file system changes

Contact us to learn how NowSecure mobile app risk management solutions identify and help remediate mobile app risk in first and third-party apps.