Lottie Player supply chain compromise: Sites, apps showing crypto scam pop-ups
A supply chain compromise involving Lottie Player, a widely used web component for playing site and app animations, has made popular decentralized finance apps show pop-ups urging users to connect their wallets, TradingView has reported.
The pop-up (Source: Lottie Player GitHub repository)
Users who did it – and it seems that there was at least one victim – had their wallets drained.
The Lottie Player compromise
Website admins began complaining about the pop-up and asking for answers on the LottieFiles forums and on the Lottie Player GitHub repository on Wednesday.
“On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code,” the company developing the player confirmed earlier today.
“Versions 2.0.5, 2.0.6, 2.0.7 were published directly to [the main npm registry] over the course of an hour using a compromised access token from a developer with the required privileges.”
Those versions contained code for showing the pop-up and connecting to users’ crypto wallets, and “a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”
The company says that their dotLottie player was not affected, and neither were their open source libraries, open source code, Github repositories, and their SaaS services.
What to do?
Threat actors regularly manage to publish malicious or hijack legitimate packages on npmjs.
A new safe version (v2.0.8) of the Lottie Player has been published and the compromised package versions have been removed from the npm registry.
“The new 2.0.8 release is being served on CDNs as the latest, that should fix the issue for many folks (but highly recommend using a fixed version as best practice),” Jawish Hameed, VP of Engineering at LottieFiles, confirmed.
If updating isn’t possible, visitors and app users should be warned not to accept any attempts to connect their crypto wallets.
“LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise,” the company concluded.
Time will tell just how much cryptocurrency the attackers managed to pilfer in this attack.
UPDATE (November 1, 2024, 05:45 a.m. ET):
“Investigations revealed a successful ATO (account takeover) of our employee’s NPM account via email phishing,” LottieFiles concluded.
They company has:
- Revoked individual developers’s access to the company’s NPM repositories
- Revoked NPM keys and suspended NPM automations
- Removed infected files from content delivery networks
“We are in the process of implementing immediate measures for a secure and more robust delivery of open source code and will provide updates to the community soon,” they added.
The compromise affected users of the 1inch decentralized app (dApp) platform who accessed via their browser.
“Only the 1inch web dApp was affected; the 1inch Wallet, API, and protocols were never compromised,” the company said. “All confirmed losses are subject for refunds. If your wallet was affected, please revoke ERC20 approvals from malicious addresses using http://revoke.cash to prevent further access.”