26 November 2024

Supply chain attack targets popular npm package LottieFiles


Supply chain attack targets popular npm package LottieFiles

Researchers from ReversingLabs detected a supply chain attack involving the widely used npm package @lottiefiles/lottie-player. The company identified three malicious versions of the package—2.0.5, 2.0.6, and 2.0.7—designed to steal crypto wallet assets.

According to ReversingLabs, the attack was executed using an unauthorized access token from a privileged developer account.

@lottiefiles/lottie-player, which is widely used for embedding Lottie animations on websites, has an estimated 84,000 weekly downloads and over 50 versions. The malicious versions, released eight months after the previous update, contained altered code that triggered web3 wallet connection pop-ups. Upon unsuspecting users connecting their wallets, attackers drained their crypto assets.

Developers quickly noticed unusual behaviors, including unexpected pop-ups on sites using the compromised versions. Following discussions on GitHub and developer forums the package maintainers removed the infected versions and released a clean update, reverting to the last secure version 2.0.4.

“In the case of the @lottiefiles/lottie-player, the supply chain compromise was detected quickly. However, that doesn’t mean that malicious actors couldn’t work in the future towards being even more secretive and better at hiding their malicious code. That’s why it’s necessary for developers to conduct security assessments that can verify the integrity and quality of public, open source libraries for safety before they are used,” the researchers noted.

Back to the list

Latest Posts

Cisco says decade-old bug in ASA appliances exploited in the wild

Cisco says decade-old bug in ASA appliances exploited in the wild

The activity involving CVE-2014-2120 has been linked to the Mozi botnet.
3 December 2024
North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

The objective of the attacks is credential theft, enabling Kimsuky to hijack victim accountsю
3 December 2024
Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

It is believed that the North Korean state-backed threat actor Lazarus Group was behind the hack.
3 December 2024