Add gluestack and react native aria compromise reports. (#927)

Signed-off-by: Caleb Brown <calebbrown@google.com>

Author: calebbrown

osv/malicious/npm/@gluestack-ui/utils/MAL-0000-google-open-source-security-17982e09dcf1a69c.json

@@ -0,0 +1,44 @@
+{
+  "modified": "2025-06-10T06:36:28Z",
+  "published": "2025-06-10T06:36:28Z",
+  "schema_version": "1.5.0",
+  "id": "",
+  "summary": "Malicious code in @gluestack-ui/utils (npm)",
+  "details": "React Native ARIA and @gluestack-ui/utils had unauthorized new versions published\nthat contained malicious code via a public access token compromise.\n\nThe malicious code connects to a command and control server and allows\nremote access, including arbitrary command execution.\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@gluestack-ui/utils"
+      },
+      "versions": [
+        "0.1.16",
+        "0.1.17"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/gluestack/gluestack-ui/issues/2894"
+    },
+    {
+      "type": "ARTICLE",
+      "url": "https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem"
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "source": "google-open-source-security",
+        "sha256": "17982e09dcf1a69caf714afad49b310371d80fe7260bf21fcad08da2a07df00c",
+        "import_time": "2025-06-10T06:38:15.27525Z",
+        "modified_time": "2025-06-10T06:36:28Z",
+        "versions": [
+          "0.1.16",
+          "0.1.17"
+        ]
+      }
+    ]
+  }
+}

osv/malicious/npm/@react-native-aria/button/MAL-0000-google-open-source-security-59aea492d433f73b.json

@@ -0,0 +1,42 @@
+{
+  "modified": "2025-06-10T06:36:28Z",
+  "published": "2025-06-10T06:36:28Z",
+  "schema_version": "1.5.0",
+  "id": "",
+  "summary": "Malicious code in @react-native-aria/button (npm)",
+  "details": "React Native ARIA and @gluestack-ui/utils had unauthorized new versions published\nthat contained malicious code via a public access token compromise.\n\nThe malicious code connects to a command and control server and allows\nremote access, including arbitrary command execution.\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@react-native-aria/button"
+      },
+      "versions": [
+        "0.2.11"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/gluestack/gluestack-ui/issues/2894"
+    },
+    {
+      "type": "ARTICLE",
+      "url": "https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem"
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "source": "google-open-source-security",
+        "sha256": "59aea492d433f73b670e379d9e7e5131f8b7a98b245557a4cb8cce7565baaa00",
+        "import_time": "2025-06-10T06:38:15.237792Z",
+        "modified_time": "2025-06-10T06:36:28Z",
+        "versions": [
+          "0.2.11"
+        ]
+      }
+    ]
+  }
+}

osv/malicious/npm/@react-native-aria/checkbox/MAL-0000-google-open-source-security-ddc6ca13c8475738.json

@@ -0,0 +1,42 @@
+{
+  "modified": "2025-06-10T06:36:28Z",
+  "published": "2025-06-10T06:36:28Z",
+  "schema_version": "1.5.0",
+  "id": "",
+  "summary": "Malicious code in @react-native-aria/checkbox (npm)",
+  "details": "React Native ARIA and @gluestack-ui/utils had unauthorized new versions published\nthat contained malicious code via a public access token compromise.\n\nThe malicious code connects to a command and control server and allows\nremote access, including arbitrary command execution.\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@react-native-aria/checkbox"
+      },
+      "versions": [
+        "0.2.11"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/gluestack/gluestack-ui/issues/2894"
+    },
+    {
+      "type": "ARTICLE",
+      "url": "https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem"
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "source": "google-open-source-security",
+        "sha256": "ddc6ca13c84757389a8703ee553981d86519fdeca6112152dc3bf344c98ea337",
+        "import_time": "2025-06-10T06:38:15.222821Z",
+        "modified_time": "2025-06-10T06:36:28Z",
+        "versions": [
+          "0.2.11"
+        ]
+      }
+    ]
+  }
+}

osv/malicious/npm/@react-native-aria/combobox/MAL-0000-google-open-source-security-1ac997eb7889bb6a.json

@@ -0,0 +1,42 @@
+{
+  "modified": "2025-06-10T06:36:28Z",
+  "published": "2025-06-10T06:36:28Z",
+  "schema_version": "1.5.0",
+  "id": "",
+  "summary": "Malicious code in @react-native-aria/combobox (npm)",
+  "details": "React Native ARIA and @gluestack-ui/utils had unauthorized new versions published\nthat contained malicious code via a public access token compromise.\n\nThe malicious code connects to a command and control server and allows\nremote access, including arbitrary command execution.\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@react-native-aria/combobox"
+      },
+      "versions": [
+        "0.2.8"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/gluestack/gluestack-ui/issues/2894"
+    },
+    {
+      "type": "ARTICLE",
+      "url": "https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem"
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "source": "google-open-source-security",
+        "sha256": "1ac997eb7889bb6aa988bf49e9beb198eb49629764c6fff1ac19cd4e8118b600",
+        "import_time": "2025-06-10T06:38:15.258395Z",
+        "modified_time": "2025-06-10T06:36:28Z",
+        "versions": [
+          "0.2.8"
+        ]
+      }
+    ]
+  }
+}

osv/malicious/npm/@react-native-aria/disclosure/MAL-0000-google-open-source-security-257ffc8541490ada.json

@@ -0,0 +1,42 @@
+{
+  "modified": "2025-06-10T06:36:28Z",
+  "published": "2025-06-10T06:36:28Z",
+  "schema_version": "1.5.0",
+  "id": "",
+  "summary": "Malicious code in @react-native-aria/disclosure (npm)",
+  "details": "React Native ARIA and @gluestack-ui/utils had unauthorized new versions published\nthat contained malicious code via a public access token compromise.\n\nThe malicious code connects to a command and control server and allows\nremote access, including arbitrary command execution.\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@react-native-aria/disclosure"
+      },
+      "versions": [
+        "0.2.9"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/gluestack/gluestack-ui/issues/2894"
+    },
+    {
+      "type": "ARTICLE",
+      "url": "https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem"
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "source": "google-open-source-security",
+        "sha256": "257ffc8541490ada2a41d7f56aac16d0a9eb9c789be4858a9fb6243c31937ef6",
+        "import_time": "2025-06-10T06:38:15.263201Z",
+        "modified_time": "2025-06-10T06:36:28Z",
+        "versions": [
+          "0.2.9"
+        ]
+      }
+    ]
+  }
+}

osv/malicious/npm/@react-native-aria/focus/MAL-0000-google-open-source-security-f417c0ca8632369f.json

@@ -0,0 +1,42 @@
+{
+  "modified": "2025-06-10T06:36:28Z",
+  "published": "2025-06-10T06:36:28Z",
+  "schema_version": "1.5.0",
+  "id": "",
+  "summary": "Malicious code in @react-native-aria/focus (npm)",
+  "details": "React Native ARIA and @gluestack-ui/utils had unauthorized new versions published\nthat contained malicious code via a public access token compromise.\n\nThe malicious code connects to a command and control server and allows\nremote access, including arbitrary command execution.\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@react-native-aria/focus"
+      },
+      "versions": [
+        "0.2.10"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/gluestack/gluestack-ui/issues/2894"
+    },
+    {
+      "type": "ARTICLE",
+      "url": "https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem"
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "source": "google-open-source-security",
+        "sha256": "f417c0ca8632369f18fa208f418b61b3150122f048ba95cbf4b0ab78dc4f20c2",
+        "import_time": "2025-06-10T06:38:15.181948Z",
+        "modified_time": "2025-06-10T06:36:28Z",
+        "versions": [
+          "0.2.10"
+        ]
+      }
+    ]
+  }
+}

osv/malicious/npm/@react-native-aria/interactions/MAL-0000-google-open-source-security-0ebff3f8886f25a3.json

@@ -0,0 +1,42 @@
+{
+  "modified": "2025-06-10T06:36:28Z",
+  "published": "2025-06-10T06:36:28Z",
+  "schema_version": "1.5.0",
+  "id": "",
+  "summary": "Malicious code in @react-native-aria/interactions (npm)",
+  "details": "React Native ARIA and @gluestack-ui/utils had unauthorized new versions published\nthat contained malicious code via a public access token compromise.\n\nThe malicious code connects to a command and control server and allows\nremote access, including arbitrary command execution.\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@react-native-aria/interactions"
+      },
+      "versions": [
+        "0.2.17"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/gluestack/gluestack-ui/issues/2894"
+    },
+    {
+      "type": "ARTICLE",
+      "url": "https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem"
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "source": "google-open-source-security",
+        "sha256": "0ebff3f8886f25a3adc58387ba0a97c3768c3c88e8f4c09d8562b92b0fdbbd7f",
+        "import_time": "2025-06-10T06:38:15.205007Z",
+        "modified_time": "2025-06-10T06:36:28Z",
+        "versions": [
+          "0.2.17"
+        ]
+      }
+    ]
+  }
+}

osv/malicious/npm/@react-native-aria/listbox/MAL-0000-google-open-source-security-7483620e07f1df85.json

@@ -0,0 +1,42 @@
+{
+  "modified": "2025-06-10T06:36:28Z",
+  "published": "2025-06-10T06:36:28Z",
+  "schema_version": "1.5.0",
+  "id": "",
+  "summary": "Malicious code in @react-native-aria/listbox (npm)",
+  "details": "React Native ARIA and @gluestack-ui/utils had unauthorized new versions published\nthat contained malicious code via a public access token compromise.\n\nThe malicious code connects to a command and control server and allows\nremote access, including arbitrary command execution.\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@react-native-aria/listbox"
+      },
+      "versions": [
+        "0.2.10"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/gluestack/gluestack-ui/issues/2894"
+    },
+    {
+      "type": "ARTICLE",
+      "url": "https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem"
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "source": "google-open-source-security",
+        "sha256": "7483620e07f1df855fba9750b8b752f9ec4ce35723c1920562bc7c2f86cf2c6d",
+        "import_time": "2025-06-10T06:38:15.248628Z",
+        "modified_time": "2025-06-10T06:36:28Z",
+        "versions": [
+          "0.2.10"
+        ]
+      }
+    ]
+  }
+}

osv/malicious/npm/@react-native-aria/menu/MAL-0000-google-open-source-security-8890be818fee58f3.json

@@ -0,0 +1,42 @@
+{
+  "modified": "2025-06-10T06:36:28Z",
+  "published": "2025-06-10T06:36:28Z",
+  "schema_version": "1.5.0",
+  "id": "",
+  "summary": "Malicious code in @react-native-aria/menu (npm)",
+  "details": "React Native ARIA and @gluestack-ui/utils had unauthorized new versions published\nthat contained malicious code via a public access token compromise.\n\nThe malicious code connects to a command and control server and allows\nremote access, including arbitrary command execution.\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@react-native-aria/menu"
+      },
+      "versions": [
+        "0.2.16"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/gluestack/gluestack-ui/issues/2894"
+    },
+    {
+      "type": "ARTICLE",
+      "url": "https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem"
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "source": "google-open-source-security",
+        "sha256": "8890be818fee58f3ddcfc7238753e75234d4f0d165160e786b299d128172ff69",
+        "import_time": "2025-06-10T06:38:15.243813Z",
+        "modified_time": "2025-06-10T06:36:28Z",
+        "versions": [
+          "0.2.16"
+        ]
+      }
+    ]
+  }
+}