Popular JavaScript library and npm package Lottie Player was compromised in a supply chain attack with threat actors releasing three new versions of the component yesterday, all in a few hours. Intel from a leading web3 anti-scam platform suggests at least one user may have lost more than $723,000 (10 BTC) after falling victim to a phishing transaction associated with the attack.

Understand what this threat means for your business and what you need to do.

Spooky Versions Surface after Eight Months

The npm package @lottiefiles/lottie-player published by LottieFiles saw 3 new versions, 2.0.5, 2.0.6 and 2.0.7 surfacing on the world’s largest JavaScript registry, npmjs.com yesterday — after months of no activity. These versions contained malicious code to target users’ cryptocurrency wallets and drain their financial assets. 
Prior to yesterday, version 2.0.4 published in March, 2024 was the latest and stable version of the component in use.

Developers used the Lottie Player component for embedding and playing Lottie animations and is rather popular. It receives more than 94,000 weekly downloads and has been consumed more than 4 million times over the course of its lifetime.

CDN Distributed Malicious Code Automatically

Yesterday, users visiting websites using Lottie Player panicked as they were greeted with surprise popups inviting them to “connect” their cryptocurrency wallets to the website.

The list of cryptocurrency services in these popups were extensive and included widely popular services like MetaMask, Exodus, Coinbase, and so on:

Image credit: katerinavett

Whereas, legitimate Lottie Player versions make no mention of blockchain services, the tainted versions 2.0.5, 2.0.6 and 2.0.7 bundle code and UI from official SDKs of cryptocurrency wallet platforms to facilitate login and gain access to victim’s financial assets.

The main distributable file in compromised (Read more...)