ON 16 March 2026, StepSecurity Threat Intel was the first to detect and report malicious npm releases in two popular React Native packages—react-native-international-phone-number and react-native-country-select. The AI Package Analyst flagged the compromised versions, and within minutes StepSecurity filed security issues directly in both GitHub repositories, alerting the maintainer and the community before any other security vendor.
The maintainer responded within hours, deprecating the compromised versions and securing the packages. The compromised versions were 0.11.8 for react-native-international-phone-number (last clean 0.11.7) with ~92,000 monthly downloads, and 0.3.91 for react-native-country-select (last clean 0.3.9) with ~42,000 monthly downloads; notably, react-native-country-select is also a dependency of the former.
The attack involved publishing new versions with no corresponding GitHub release, injecting a preinstall script into package[.]json and adding an install[.]js with heavily obfuscated code, so the payload executed automatically during installation.
StepSecurity’s AI Package Analyst noted signals such as new versions without releases, added preinstall scripts, obfuscated code, and version-number anomalies, with the overall timeline showing detection at 11:49 UTC, issues filed at 11:55 UTC, and maintainer deprecation by 1:15 UTC, roughly 1.5 hours later.