LottieFiles discovered that its npm package ‘lottie-player’ had been compromised in a supply chain attack, prompting it to release an updated version of the library.
“Oct 30 ~18:20 UTC – LottieFiles has been notified that our popular open source npm web player package @lottiefiles/lottie-player contains unauthorized new versions with malicious code,” the company said in a statement. said in a statement on X. “This does not affect our dotlottie player and/or SaaS service.”
LottieFiles is an animation workflow platform that allows designers to create, edit, and share animations in a JSON-based animation file format called Lottie. It is also the developer of an npm package called lottery playerwhich allows Lottie animations to be embedded and played on websites.
According to the company, “a large number of users using the library via third-party CDNs without a patched version were automatically served the compromised version as the latest release.”
The malicious versions package containing code which prompted users to connect their cryptocurrency wallets with the likely goal of merging their funds. Users using versions 2.0.5, 2.0.6 and 2.0.7 are advised to upgrade to 2.0.8.
“Versions 2.0.5, 2.0.6, 2.0.7 were published directly to https://npmjs.com within an hour using a compromised access token from a developer with the necessary privileges,” LottieFiles noted.
In addition to the patch release, three fake versions were unpublished in the npm package repository. LottieFiles said it has also activated its incident response plan and brought in an external incident response team to assist in the investigation.
