SaaS animation platform LottieFiles alerts users to crypto threats

LottieFiles uncovered a supply chain compromise in which malicious code could direct users to link their crypto wallets, potentially leading to asset theft.

LottieFiles, a platform that allows designers and developers to create animations, has issued an alert regarding a security breach involving the npm package that could expose users to malicious code designed to compromise crypto wallets.

Incident Response for Recently Affected Lottie-Player versions 2.05, 2.06, 2.0.7

Contact Date/Time: 31 October 2024 04:00 UTC

Event: October 30th ~18:20 UTC – LottieFiles is invited to publish our popular open source npm package for the web player @lottiefiles/lottie-player…

— LottieFiles (@LottieFiles) 31 October 2024

Inside an X post On October 31, LottieFiles said that the affected versions (Lottie Web Player 2.0.5, 2.0.6, and 2.0.7) were released on October 30, which sparked concerns after numerous user reports emerged about strange code injections. In response to the threat, LottieFiles released a new version, 2.0.8, which reverts to secure code.

“Several users who used the library through third-party CDNs without a secured version were automatically presented with the compromised version as the latest version.”

Lottie Files

For those unable to update, LottieFiles recommends that end users be notified of potential fraudulent wallet connection prompts associated with the Lottie player. Users can also choose to stay on version 2.0.4 to avoid risk.

LottieFiles warned that applications using the compromised npm package could encourage users to accidentally connect their crypto wallets, leading to potential theft. The firm added that the developer account linked to the malicious uploads had its access removed and the associated tokens revoked to stop further unauthorized activity, but the full scope of the attack was unknown.