On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platforms and other high-traffic websites. The compromised versions of lottie-player were later removed from major CDNs and npm, but websites still using compromised versions of the library remain affected.
What is going on?
The incident was reported on GitHub, where a user noticed unexpected Web3 wallet connection prompts when integrating lottie-player on a website. At the time, malicious versions of the library were being sourced from one of two URLs (the first is no longer compromised):
https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player[.]jshttps://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min[.]js
Upon investigation, it was determined that malicious actors had gained unauthorized access to a token owned by one of the library's maintainers (Aidosmf). This allowed them to inject malicious code into lottie-player versions 2.0.5, 2.0.6, and 2.0.7, which were published on npm between 8:12 PM and 9:57 PM GMT on October 30, 2024.
The Lottie Player component, part of the LottieFiles platform, enables embedding scalable, lightweight animations in apps and websites with minimal performance impact. Widely used across mobile and web applications, it sees over 4 million lifetime uses and 94,000 weekly downloads, making it a prime candidate for potential supply chain attacks that could affect countless users and organizations.
Upon visiting a website utilizing an affected version of the library, the injected code prompted the user to connect to their crypto wallets in an attempt to drain their assets. A large number of users visiting websites using the library sourced from third-party CDNs without a pinned version were automatically served the compromised version as the latest release. For instance, the 1inch trading platform was impacted by this attack, and they reported that 1inch dApp users may have encountered a malicious wallet connect and signature request. After the incident was identified, a safe version was published (2.0.8), and those websites would have automatically been fixed.
In response, the affected versions were also removed from npm and major CDN providers to limit further exposure. However, any websites explicitly referencing the affected versions remain at risk until they update or revert to safe versions (2.0.4 or 2.0.8).
What sort of exploitation has been identified in the wild?
Impacted organizations have been releasing statements, such as 1inch as mentioned above. Additionally, according to a report by Scam Sniffer, a transaction was detected indicating that at least one user may have fallen victim to the phishing attempt, losing 10 Bitcoin ($723,436) in the process.
Which products are affected?
lottie-player versions 2.0.5, 2.0.6, and 2.0.7, which were published on npm between 8:12 PM and 9:57 PM GMT on October 30, 2024.
Which actions should security teams take?
Audit dependencies: Website administrators and developers should audit their dependencies to identify if they are using any of the affected versions.
Update or revert: Immediately update to version
2.0.8or revert to2.0.4to avoid the compromised versions.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.
