Even official company documents can be abused to try and spread malware

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

  • React Native documentation for Fabric Native Components includes a detailed guide with specific commands
  • One command was flawed, potentially resulting in malware deployment
  • A hacker discovered the flaw and tried to exploit it

Hackers found a way to abuse official company documents and get people to install malware on their devices, new research has claimed.

In a recent blog post, cybersecurity researchers from Checkmarx explained how the React Native documentation for Fabric Native Components includes a detailed guide for creating custom components.

While Checkmarx did not detail the malware and its capabilities, it did say that the implications of this attack “extend beyond immediate data exposure”, suggesting the malware was some form of an infostealer.

Trust, but verify

React Native is an open-source framework developed by Meta, for building mobile applications using JavaScript and React, allowing developers to create applications for iOS, Android, and other platforms from a single codebase. Fabric Native Components, on the other hand, are part of the Fabric architecture in React Native, which is a re-engineered rendering system aimed at improving performance, interoperability, and developer experience in building native components.

The guide uses “RTNCenteredText” as an example, and suggests using “yarn upgrade rtn-centered-text” to update local development packages.

The problem here is that the command first checks the npm registry for packages, before looking at local files. A cybercriminal picked up on this flaw, created a malicious package with the same name, and uploaded it to npm.

“This incident serves as a reminder that supply chain security requires vigilance at every level,” the researchers said. “Documentation must be precise about package management commands, developers need to verify package sources, and security tools should monitor for packages that may be impersonating official examples.”

In this example, developers are advised to use explicit paths when adding local packages. “Instead of using “yarn upgrade”, use “yarn add ../package-name” to ensure you're referencing local development packages,” the researchers conclude.

You might also like

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.