Lottie Player NPM package compromised in supply chain attack

Threat actors compromised the popular JavaScript library Lottie Player in an extensive supply chain attack designed to steal user's cryptocurrency.

In a post on X, formerly Twitter, on Thursday, LottieFiles provided incident response (IR) details for a supply chain attack that occurred on Oct. 30 affecting the JavaScript library for its Lottie Player web player versions 2.05-2.07. Developers and designers use the LottieFiles platform to create animations for mobile devices and websites, and the Lottie Player component is used to embed the creations.

LottieFiles warned users that attackers injected malicious code into new versions of Lottie Player on NPM. The code created a pop up that prompted users to sign into their cryptocurrency wallets. The software company said its DotLottie player and SaaS services are unaffected.

LottieFiles provided insight into how the supply chain attack was initiated and what files it affected.

"Versions 2.0.5, 2.0.6, 2.0.7 were published directly to http://npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges," LottieFiles wrote in the Twitter post. "A large number of users using the library via third-party CDNs [content delivery network] without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix."

LottieFiles urged users to use the newly published version 2.0.8 and to unpublish the compromised package versions from NPM. Additionally, LottieFiles recommended that Lottie Player users "remove all access and associated tokens/services accounts of the impacted developer." The company said it engaged an external IR team to assist with the investigation, which is ongoing.

Reports of the threat activity first emerged on Wednesday as users posted reports of suspicious activity on LottieFiles' GitHub page and customer forum. Gal Nagli, a security researcher with Wiz, said a "massive supply chain attack" was underway in a post on X on Wednesday evening.

Also on Wednesday, decentralized finance platform 1inch confirmed some of its users were affected by the supply chain attack.

On Oct 30, 9:12 PM - 11:22 PM CET, 1inch dApp users may have encountered a malicious wallet connect and signature request.

This signature allows an attacker to drain user's funds.

Only the 1inch web dApp was affected; the 1inch Wallet, API, and protocols were never compromised.

— 1inch (@1inch) October 31, 2024

Wiz researchers published a blog post on the supply chain attack on Thursday. The researchers confirmed attackers initiated the incident on Wednesday and that the compromised token belonged to a library maintainer. It is unclear how they obtained the token.

A LottieFiles user initially reported the incident on GitHub after using one of the compromised Lottie Player URLs and a CDN URL to embed creations onto a website. Wiz said the malicious code creates a Web3 wallet prompt where users store digital currency. Wiz warned that the attackers' goal is to "drain" affected users' assets.

While it is unclear how many users are unaffected, Wiz said the Lottie Player tool is popular among users.

"Widely used across mobile and web applications, it sees over 4 million lifetime uses and 94,000 weekly downloads, making it a prime candidate for potential supply chain attacks that could affect countless users and organizations," Wiz researchers wrote in the blog post.

Wiz recommended that website administrators and developers undergo audit dependencies to identify if they are using any affected versions and to update immediately.

Software supply chain attacks have been on the rise in recent years as threat actors have targeted open-source software through GitHub repositories and other resources. In several instances, attackers have either compromised NPM packages or created malicious packages designed to trick unsuspecting users.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.