Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Even official company documents can be abused to try and spread malware

Representational image depecting cybersecurity protection.

  • React Native documentation for Fabric Native Components includes a detailed guide with specific commands
  • One command was flawed, potentially resulting in malware deployment
  • A hacker discovered the flaw and tried to exploit it

Hackers found a way to abuse official company documents and get people to install malware on their devices, new research has claimed.

In a recent blog post, cybersecurity researchers from Checkmarx explained how the React Native documentation for Fabric Native Components includes a detailed guide for creating custom components.

While Checkmarx did not detail the malware and its capabilities, it did say that the implications of this attack “extend beyond immediate data exposure”, suggesting the malware was some form of an infostealer.

Trust, but verify

React Native is an open-source framework developed by Meta, for building mobile applications using JavaScript and React, allowing developers to create applications for iOS, Android, and other platforms from a single codebase. Fabric Native Components, on the other hand, are part of the Fabric architecture in React Native, which is a re-engineered rendering system aimed at improving performance, interoperability, and developer experience in building native components.

The guide uses “RTNCenteredText” as an example, and suggests using “yarn upgrade rtn-centered-text” to update local development packages.

The problem here is that the command first checks the npm registry for packages, before looking at local files. A cybercriminal picked up on this flaw, created a malicious package with the same name, and uploaded it to npm.

“This incident serves as a reminder that supply chain security requires vigilance at every level,” the researchers said. “Documentation must be precise about package management commands, developers need to verify package sources, and security tools should monitor for packages that may be impersonating official examples.”

In this example, developers are advised to use explicit paths when adding local packages. “Instead of using “yarn upgrade”, use “yarn add ../package-name” to ensure you're referencing local development packages,” the researchers conclude.

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.