LottieFiles revealed a supply chain compromise in which malicious code could lure users into connecting crypto wallets, potentially leading to asset theft.
LottieFiles, a platform that enables designers and developers to create animations, has issued a warning regarding a security breach involving its npm package, which may expose users to malicious code designed to compromise crypto wallets.
Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7
— LottieFiles (@LottieFiles) October 31, 2024
Comm Date/Time: Oct 31st, 2024 04:00 AM UTC
Incident: On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player…
In an X post on Oct. 31, LottieFiles said that the affected versions — Lottie Web Player 2.0.5, 2.0.6, and 2.0.7 — were released on Oct. 30, prompting immediate concerns after multiple user reports surfaced about strange code injections. In response to the threat, LottieFiles released a new version, 2.0.8, reverting to the secure code.
“A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”
LottieFiles
For those unable to update, LottieFiles recommends informing end users about potential fraudulent wallet connection prompts associated with the Lottie-player. Users may also opt to remain on version 2.0.4 to avoid risk.
LottieFiles warned that applications using the compromised npm package may inadvertently prompt users to connect their crypto wallets, opening avenues for potential theft. The developer account linked to the malicious uploads has been stripped of access, and related tokens have been revoked to halt any further unauthorized activity, the firm added, though the full extent of the attack remains unknown.