React Native ARIA Package Exposed Developers To Trojan

We have a problem. Actually, React Native developers have. More unusual than normally at least.

As it occurs someone hacked a popular React Native package used by millions of projects and infested it with a trojan.

So that’s fun. The package name is react-native-aria.

The package offers accessibility hooks for mobile app developers. So instead using a component library that comes with accessible components out of the box, you can write your own and extend them with ARIA features with React Native Aria. The concept follows an idea of externalizing core component behavior into a library you can add as 56 dependency to your React Native app.

Anyways, it occurs lately the package came with its own cheerful crowd.

Some of 78 000 downloads of the package from NPM may have come with a trojan.

When we dig deeper we find out that 4 days ago there was 0.2.11 version published and it’s already deprecated:

It was downloaded 707 times. So it’s not that much. The package isn’t updated that often too.

The files seem unusually big: