It looks like someone managed to inject malicious code into the GlueStack and NativeBase package dependencies. This is really concerning since these packages get downloaded almost a million times every week. I noticed some weird behavior in my project after updating and found out about this security issue. Has anyone else experienced problems with their apps after recent updates? I’m worried about what kind of damage this could cause to projects that already updated. Should we be rolling back to previous versions or is there a safe version we can use? Really makes you think twice about automatic dependency updates. The whole JavaScript ecosystem feels pretty vulnerable when stuff like this happens.
Just checked our production - luckily we had version pinning enabled so we dodged this bullet. But this whole thing shows we need more than just rollbacks for dependency management. I’ve been running security scans on our node modules and found some sketchy network calls that weren’t there before. What really bugs me is how long these malicious packages can sit in the ecosystem undetected. Moving forward, I’m adding automated security scanning to our CI pipeline and actually using npm audit consistently. The JS community seriously needs better verification for package updates, especially for popular libraries. If you haven’t already, definitely look into subresource integrity checks.
Yes, the issue with Gluestack is alarming and urgent action is required. Supply chain attacks can affect a large number of users due to the wide adoption of such packages. If your project has been updated recently, it’s critical to conduct a thorough audit for security threats. Ensure your dependencies are pinned to stable versions that were released before this incident, as many package managers are already identifying the affected versions. Continuous monitoring and vigilance regarding security will help mitigate these types of risks.
this is terrifying. had some weird crashes yesterday and now i’m wondering if they’re connected. already downgraded my gluestack version just to be safe. supply chain attacks are everywhere now - makes me paranoid about every npm install.