Introduction

On October 30th, 2024 [2] [3] [4], a significant security breach occurred involving the open-source npm package @lottiefiles/lottie-player. This supply chain attack specifically targeted versions 205, 206, and 207 [1] [2] [3] [4] [8], compromising user security by injecting malicious code designed to exploit cryptocurrency wallets.

Description

On October 30th, 2024 [2] [3] [4], a supply chain attack compromised the popular open-source npm package @lottiefiles/lottie-player, specifically targeting versions 205, 206, and 207 [1] [2] [3] [4] [8]. This attack involved the injection of malicious code that prompted users to connect their Web3 wallets on legitimate websites [2], with the intent to siphon assets from their cryptocurrency wallets. The malicious updates included deceptive popups that mimicked legitimate services such as MetaMask, Exodus [1], and Coinbase [1], incorporating code and UI elements from official cryptocurrency wallet SDKs to facilitate unauthorized access to users’ financial information [1]. The breach was made possible through unauthorized access to a maintainer’s access token, allowing the attackers to inject harmful code into the legitimate library. The attack affected numerous high-traffic websites [4], particularly in the cryptocurrency sector [4], with at least one reported loss of 10 Bitcoin (approximately $723,436) [4].

In response to this security incident, LottieFiles swiftly removed the compromised versions from both the npm registry and GitHub, confirming that the infected versions were eliminated from their repositories [10]. They released a secure update, version 208 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], which is a re-release of the previously stable version 204 [1]. Users are strongly encouraged to upgrade to version 208, confirmed as secure [3], or to revert to version 204 if immediate updates cannot be performed. The SHA for version 208 is sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ== [3]. If users are unable to update right away, they should inform their end-users to avoid accepting any connection requests to their cryptocurrency wallets and remain vigilant against suspicious popups on cryptocurrency platforms.

While the affected versions have been removed from npmjs.com [3], they remain accessible via explicit version specifiers on CDNjs.com [3], which now redirects users to version 208. Website administrators and developers are encouraged to audit their dependencies to ensure they are not using any of the compromised versions and to update promptly to the safe version or revert to version 204 if necessary. Additionally, users are urged to remove all access and associated tokens or service accounts related to the impacted developer [9]. LottieFiles assures that its other open-source libraries [6], including the DotLottie player, as well as its SaaS services, remain unaffected by this incident. Security teams are advised to implement version pinning and monitor for suspicious transactions related to Web3 wallet connections to enhance their security posture.

Conclusion

The attack on the @lottiefiles/lottie-player package underscores the vulnerabilities inherent in software supply chains, particularly in the cryptocurrency sector [4]. The swift response by LottieFiles, including the removal of compromised versions and the release of a secure update, mitigated further damage. Moving forward, developers and security teams must remain vigilant, ensuring robust security measures are in place, such as regular audits, version pinning [3] [4], and monitoring for suspicious activities, to prevent similar incidents.

References

[1] https://www.sonatype.com/blog/lottie-player-compromised-in-supply-chain-attack-all-you-need-to-know
[2] https://www.wiz.io/blog/lottie-player-supply-chain-attack
[3] https://github.com/LottieFiles/lottie-player/issues/254
[4] https://securityonline.info/supply-chain-attack-on-popular-animation-library-lottie-player-targets-web3-users/
[5] https://www.cryptometer.io/news/malicious-popups-hit-crypto-apps-after-major-library-hack/
[6] https://dailysecurityreview.com/security-spotlight/lottiefiles-npm-supply-chain-attack-drains-cryptocurrency-wallets/
[7] https://www.helpnetsecurity.com/2024/10/31/lottie-player-compromise/
[8] https://thehackernews.com/2024/10/lottiefiles-issues-warning-about.html
[9] https://www.techtarget.com/searchSecurity/news/366614668/Lottie-Player-NPM-package-compromised-in-supply-chain-attack
[10] https://coinpedia.org/news/crypto-hack-lottie-player-breach-leads-to-crypto-wallet-draining/