LottieFiles Issues Warning About Compromised "lottie-player" npm Package
LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to release an updated version of the library.
"On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," the company said in a statement on X. "This does not impact our dotlottie player and/or SaaS service."
LottieFiles is an animation workflow platform that enables designers to create, edit, and share animations in a JSON-based animation file format called Lottie. It's also the developer behind an npm package named lottie-player, which allows for embedding and playing Lottie animations on websites.
According to the company, "a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release."
The malicious versions of the package contained code that prompted users to connect their cryptocurrency wallets, with the likely goal of draining their funds. Users who are on versions 2.0.5, 2.0.6, and 2.0.7 are recommended to update to 2.0.8.
"Versions 2.0.5, 2.0.6, 2.0.7 were published directly to https://npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges," LottieFiles noted.
Besides releasing a fix, the three rogue versions have been unpublished from the npm package repository. LottieFiles said it has also activated its incident response plan and engaged an external incident response team to assist with the investigation.
source: TheHackerNews
Free security scan for your website
Top News:
Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware
November 23, 2024Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
November 23, 2024Download: CIS Critical Security Controls v8.1
August 8, 2024