LottieFiles Issues Warning About Compromised “lottie-player” npm Package

Avatar
LottieFiles has revealed that its npm package “lottie-player” was compromised as part of a supply chain attack, prompting it to release an updated version of the library. “On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code,” the company said in a

LottieFiles has revealed that its npm package “lottie-player” was compromised as part of a supply chain attack, prompting it to release an updated version of the library.

“On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code,” the company said in a statement on X. “This does not impact our dotlottie player and/or SaaS service.”

LottieFiles is an animation workflow platform that enables designers to create, edit, and share animations in a JSON-based animation file format called Lottie. It’s also the developer behind an npm package named lottie-player, which allows for embedding and playing Lottie animations on websites.

According to the company, “a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”

The malicious versions of the package contained code that prompted users to connect their cryptocurrency wallets, with the likely goal of draining their funds. Users who are on versions 2.0.5, 2.0.6, and 2.0.7 are recommended to update to 2.0.8.

“Versions 2.0.5, 2.0.6, 2.0.7 were published directly to https://npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges,” LottieFiles noted.

Besides releasing a fix, the three rogue versions have been unpublished from the npm package repository. LottieFiles said it has also activated its incident response plan and engaged an external incident response team to assist with the investigation.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Enterprise Identity Threat Report 2024: Unveiling Hidden Threats to Corporate Identities

Next Post

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Related Posts

Mozilla Faces Privacy Complaint for Enabling Tracking in Firefox Without User Consent

Vienna-based privacy non-profit noyb (short for None Of Your Business) has filed a complaint with the Austrian data protection authority (DPA) against Firefox maker Mozilla for enabling a new feature called Privacy Preserving Attribution (PPA) without explicitly seeking users' consent. "Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites," noyb said
Avatar
Read More