Even official company documents can be misused to spread malware
- React Native documentation for Fabric Native Components includes a detailed guide with specific commands
- One command was flawed, which could have led to malware deployment
- A hacker discovered the flaw and tried to exploit it
Hackers have found a way to misuse official company documents and trick people into installing malware on their devices, new research shows.
In a recent one blog postcybersecurity researchers at Checkmarx explained how the React Native documentation for Fabric Native Components includes a detailed guide to creating custom components.
While Checkmarx did not provide any details about the malware and its capabilities, it did say that the implications of this attack “extend beyond direct data exposure,” suggesting that the malware was a form of information stealer.
Trust, but verify
React Native is an open source framework developed by Meta for building mobile applications using JavaScript and React, allowing developers to create applications for iOS, Android, and other platforms from a single codebase. Fabric Native Components, on the other hand, are part of the Fabric architecture in React Native, a redesigned rendering system aimed at improving performance, interoperability, and developer experience when building native components.
The manual uses “RTNCenteredText” as an example and suggests using “yarn upgrade rtn-centered-text” to update local development packages.
The problem here is that the command checks the npm registry for packages first, before looking at local files. A cybercriminal noticed this flaw, created a malicious package with the same name, and uploaded it to npm.
“This incident is a reminder that supply chain security requires vigilance at every level,” the researchers said. “Documentation must be accurate about package management commands, developers must verify package sources, and security tools must check for packages that may mimic official samples.”
In this example, developers are advised to use explicit paths when adding local packages. “Instead of using “yarn upgrade”, use “yarn add ../package-name” to ensure you are referring to local development packages,” the researchers concluded.
