- React Native documentation for Fabric Native Components includes a detailed guide with specific commands
- One command was flawed, potentially resulting in malware deployment
- A hacker discovered the flaw and tried to exploit it
Hackers found a way to abuse official company documents and get people to install malware on their devices, new research has claimed.
In a recent blog post, cybersecurity researchers from Checkmarx explained how the React Native documentation for Fabric Native Components includes a detailed guide for creating custom components.
While Checkmarx did not detail the malware and its capabilities, it did say that the implications of this attack “extend beyond immediate data exposure”, suggesting the malware was some form of an infostealer.
Trust, but verify
React Native is an open-source framework developed by Meta, for building mobile applications using JavaScript and React, allowing developers to create applications for iOS, Android, and other platforms from a single codebase. Fabric Native Components, on the other hand, are part of the Fabric architecture in React Native, which is a re-engineered rendering system aimed at improving performance, interoperability, and developer experience in building native components.
The guide uses “RTNCenteredText” as an example, and suggests using “yarn upgrade rtn-centered-text” to update local development packages.
The problem here is that the command first checks the npm registry for packages, before looking at local files. A cybercriminal picked up on this flaw, created a malicious package with the same name, and uploaded it to npm.
“This incident serves as a reminder that supply chain security requires vigilance at every level,” the researchers said. “Documentation must be precise about package management commands, developers need to verify package sources, and security tools should monitor for packages that may be impersonating official examples.”
In this example, developers are advised to use explicit paths when adding local packages. “Instead of using “yarn upgrade”, use “yarn add ../package-name” to ensure you’re referencing local development packages,” the researchers conclude.
Leave a comment