Malicious SVG files on adult websites hide JavaScript that hijacks Facebook sessions, secretly liking posts, and potentially exposing victims to identity theft and credential harvesting.

The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects.

A software supply chain attack has hit the popular JavaScript package is, which has almost 2.7 million downloads per week.