LottieFiles, a popular platform used by developers and designers to create animations for mobile devices and websites, recently faced a supply chain attack that put users at risk of losing their cryptocurrency. In a detailed incident response report posted on X, formerly Twitter, LottieFiles revealed that on Oct.30, threat actors compromised the JavaScript library for Lottie Player versions 2.05-2.07.
The attack involved injecting malicious code into new versions of Lottie Player on NPM, a widely used package manager for JavaScript. The injected code created a deceptive pop-up that prompted users to sign into their cryptocurrency wallets, potentially putting their funds in jeopardy. Fortunately, LottieFiles stated that its DotLottie player and SaaS services were not affected by the breach.
According to LottieFiles, the attack was initiated by publishing compromised versions of the JavaScript library directly to npmjs.com using a developer’s compromised access token with the necessary privileges. This allowed a large number of users utilizing the library via third-party CDNs to inadvertently receive the compromised version as the latest release. LottieFiles advised users to update to the safe version 2.0.8 and remove the compromised package versions from NPM to mitigate the risk.
Reports of suspicious activity surfaced on LottieFiles’ GitHub page and customer forum, prompting security researcher Gal Nagli from Wiz to alert the community about the ongoing supply chain attack. The decentralized finance platform 1inch also confirmed that some of its users had been impacted by the malicious activity, emphasizing the importance of staying vigilant against such threats.
Wiz researchers further delved into the incident, revealing that the compromised token belonged to a library maintainer, though the method used to obtain the token remained undisclosed. The attackers aimed to exploit unsuspecting users by creating a fraudulent Web3 wallet prompt, with the intent to drain their digital assets.
As Lottie Player is a widely used tool with over 4 million lifetime uses and 94,000 weekly downloads, the potential impact of the supply chain attack could be substantial. Wiz urged website administrators and developers to conduct thorough audits of their dependencies to identify and update any affected versions promptly.
Software supply chain attacks have been increasingly prevalent, with threat actors targeting open-source software through various means, including compromised NPM packages and malicious creations. This incident serves as a stark reminder of the importance of vigilance and proactive security measures in safeguarding against such malicious activities.
In conclusion, the LottieFiles supply chain attack underscores the critical need for robust security practices and heightened awareness within the development community to mitigate the risks posed by cyber threats. Stay informed, stay updated, and stay secure.