Popular SaaS animation platform LottieFiles has alerted its users about a security breach involving its npm package, which may have exposed users to crypto threats. The breach, stemming from a supply chain compromise, saw malicious code embedded in recent releases. This code could potentially prompt users to connect their crypto wallets, which could lead to asset theft.
Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7
Comm Date/Time: Oct 31st, 2024 04:00 AM UTC
Incident: On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player…
— LottieFiles (@LottieFiles) October 31, 2024
In a post on X, formerly Twitter, LottieFiles identified three specific releases, Lottie Web Player versions 2.0.5, 2.0.6, and 2.0.7, as the compromised versions, initially deployed on October 30. Following multiple user reports of strange code injections, the company quickly released version 2.0.8, which reverts to a more secure code base.
Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7
Comm Date/Time: Oct 31st, 2024 04:00 AM UTC
Incident: On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player…
— LottieFiles (@LottieFiles) October 31, 2024
“A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release,” the company noted in its X post.
User Advisory: Mitigating Risks from Compromised Package
If users cannot update to the latest version, the animation platform advises informing end users of potential fraudulent wallet connection prompts if the compromised package is used. For extra caution, users are advised to revert to version 2.0.4 to mitigate risk.
The company said that didn’t explain why the affected npm package features a code that prompts users to connect their crypto wallets, which may unwittingly lead them to theft. In response, LottieFiles could revoke the developer’s access to the malicious uploads and disable associated tokens, preventing further unauthorized activities. The investigation is still investigating the full extent of the compromise.
This breach exposes the increasing need for supply chain security software as more SaaS platforms interact with crypto assets and wallets, alerting users and developers to new threats.
This news is republished from another source. You can check the original article here
