Loads JavaScript from a random person’s GitHub Pages site (lonelycpp.github.io) for YouTube embeds. If that account is compromised, arbitrary code runs in the app’s WebView. […]
As quoted by John from the original work by someone called Thereallo. Sorry, the poor site has been Fireball’d.
This isn’t poking at John or the person who did the digging around, but I do have one thing to point out.
I noticed it’s an NPM package targeting React Native applications, so we know it’s a React Native application. An NPM package is installed using npm’s package manager, just as native iOS Devs would use Swift Package Manager(SPM) to get our packages.
I just don’t want the poor person who created it to be dragged for supporting the Trump Administration. They may, they may not, but the NPM pacakage gets somewhere around 100k downloads per week, so it’s built for the masses and the first release was published six years ago.