A supply chain compromise involving Lottie Player, a widely used web component for playing site and app animations, has made popular decentralized finance apps show pop-ups urging users to connect their wallets, TradingView has reported.
The pop-up (Source: Lottie Player GitHub repository)
Users who did it – and it seems that there was at least one victim – had their wallets drained.
The Lottie Player compromise
Website admins began complaining about the pop-up and asking for answers on the LottieFiles forums and on the Lottie Player GitHub repository on Wednesday.
“On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code,” the company developing the player confirmed earlier today.
“Versions 2.0.5, 2.0.6, 2.0.7 were published directly to [the main npm registry] over the course of an hour using a compromised access token from a developer with the required privileges.”
Those versions contained code for showing the pop-up and connecting to users’ crypto wallets, and “a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”
The company says that their dotLottie player was not affected, and neither were their open source libraries, open source code, Github repositories, and their SaaS services.
What to do?
Threat actors regularly manage to publish malicious or hijack legitimate packages on npmjs.
A new safe version (v2.0.8) of the Lottie Player has been published and the compromised package versions have been removed from the npm registry.
“The new 2.0.8 release is being served on CDNs as the latest, that should fix the issue for many folks (but highly recommend using a fixed version as best practice),” Jawish Hameed, VP of Engineering at LottieFiles, confirmed.
If updating isn’t possible, visitors and app users should be warned not to accept any attempts to connect their crypto wallets.
“LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise,” the company concluded.
Time will tell just how much cryptocurrency the attackers managed to pilfer in this attack.