LottieFiles disclosed a supply chain compromise that could potentially result in asset theft by enticing users to connect crypto wallets with malicious code
LottieFiles, a platform that facilitates the creation of animations by designers and developers, has issued a warning regarding a security lapse involving its npm package. This breach may expose users to malicious code that is intended to compromise crypto wallets.
LottieFiles announced in an X post on Oct. 31 that the affected versions — Lottie Web Player 2.0.5, 2.0.6, and 2.0.7 — were published on Oct. 30.
This announcement prompted immediate concern after numerous user reports surfaced regarding unusual code injections. LottieFiles responded to the threat by releasing a new version, 2.0.8, which reverted to the secure code.
“A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.” – LottieFiles
LottieFiles suggests that end users be informed about the potential fraudulent wallet connection prompts associated with the Lottie-player if they are unable to update. Users may also choose to continue using version 2.0.4 in order to mitigate potential risks.
LottieFiles cautioned that applications that utilize the compromised npm package may inadvertently prompt users to connect their crypto wallets, thereby creating opportunities for larceny.
The firm has confirmed that the developer account associated with the malicious uploads has been deactivated and the associated tokens have been revoked in order to prevent any additional unauthorized activity. However, the complete extent of the attack is still unknown.