Popular JavaScript library and npm package Lottie Player was compromised in a supply chain attack with threat actors releasing three new versions of the component yesterday, all in a span of a few hours. Intel from a leading web3 anti-scam platform suggests, at least one user may have lost more than $723,000 (10 BTC) after falling victim to a phishing transaction associated with the attack.
Understand what this threat means for your business and what you need to do.
Spooky versions surface after 8 months
The npm package @lottiefiles/lottie-player published by LottieFiles saw 3 new versions, 2.0.5, 2.0.6 and 2.0.7 surfacing on the world's largest JavaScript registry, npmjs.com yesterday — after months of no activity. These versions contained malicious code to target users' cryptocurrency wallets and drain their financial assets.
Prior to yesterday, version 2.0.4 published in March, 2024 was the latest and stable version of the component in use.
The Lottie Player component is used by developers for embedding and playing Lottie animations and is rather popular. It receives more than 94,000 weekly downloads and has been consumed more than 4 million times over the course of its lifetime.
CDN distributed malicious code automatically
Yesterday, users visiting websites using Lottie Player panicked as they were greeted with surprise popups inviting them to "connect" their cryptocurrency wallets to the website.
The list of cryptocurrency services in these popups were extensive and included widely popular services like MetaMask, Exodus, Coinbase, and so on:
Image credit: katerinavett
Whereas, legitimate Lottie Player versions make no mention of blockchain services, the tainted versions 2.0.5, 2.0.6 and 2.0.7 bundle code and UI from official SDKs of cryptocurrency wallet platforms to facilitate login and gain access to victim's financial assets.
The main distributable file in compromised versions, "lottie-player.js" analyzed by us clearly shows it has been modified and further minified which would make it harder to spot these malicious additions:
It is worth noting that even legitimate versions of the package (e.g. the older 2.0.4) contained minified code in the main distributable file which, to a developer glancing casually, might make the altered file in newer versions look benign:
The cause
LottieFiles confirmed on social media that it was a victim of supply chain attack achieved by threat actors via a "compromised access token from a developer with the required privileges" and immediately proceeded to remove malicious versions 2.0.5-2.0.7 from its repositories.
"The unauthorized versions contained code that prompted for connecting to user’s crypto wallets," states LottieFiles.
Unfortunately, websites and users consuming the library from content distribution networks (CDNs) without version pinning in place automatically received the malicious versions downstream.
"A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix."
The project published a new safe version 2.0.8 (which is a "re-release" of safe version 2.0.4) on npm. Users should upgrade to the fixed version 2.0.8, or alternatively downgrade to version 2.0.4 to remedy the situation.
"If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets," advises Lottie Files.
The company continues to investigate the incident and engage response teams, while confirming that "dotlottie player and/or SaaS services" were not impacted by this attack.
"We have confirmed that our other open source libraries, open source code, GitHub repositories, and our SaaS were not affected."
Tangible financial impact: More than $723,000 lost?
While unconfirmed, web3 anti-scam platform Scam Sniffer, pointed to intel suggesting that at least one user may have lost 10 Bitcoin (BTC) or $723,436 after falling victim to the phishing transaction related to the attack:
What to do?
Those consuming open source libraries from third-party CDNs should ensure that they pin their versions of the components to prevent newer, malicious versions from being pulled onto their systems, in the event of a compromises like this week's. Additionally, using a strict Content Security Policy (CSP), as suggested by multiple practitioners [1, 2] further reduces the risk of third-party script injections from unauthorized sources.
Firewall users protected from attacks
Tracked as sonatype-2024-011914, malicious versions of Lottie Player would be automatically blocked from entering your builds if you are using Sonatype Repository Firewall or Sonatype Lifecycle and consuming components from the offiical npmjs.com registry. The Sonatype Security Research team further ensured that none of our customers received the malicious versions and we continue to do our due diligence and investigate this incident further.
Sonatype Repository Firewall and Sonatype Lifecycle stay on top of nascent attacks, compromises, and vulnerabilities and provide you with detailed insights and to thwart previously undetected malware, Potentially Unwanted Applications (PUAs), and vulnerable components from reaching your builds.
Malicious open source is designed to evade typical software composition analysis (SCA) scanners. However, users of Sonatype Repository Firewall can rest easy knowing that these packages would automatically be blocked from reaching their development builds and keep their software development life cycle (SDLC) hygienic.
