Supply Chain Attack on Popular Animation Library Lottie-Player Targets Web3 Users
In a sophisticated supply chain attack, malicious actors infiltrated the widely-used JavaScript library lottie-player, injecting code that opens a Web3 wallet connection prompt on legitimate websites. This prompt, if accepted by users, could allow attackers to siphon assets directly from cryptocurrency wallets. With lottie-player boasting over 4 million downloads and a key role in embedding animations on numerous high-traffic websites, the fallout from this incident highlights the security risks inherent in open-source libraries.
The breach was first reported on GitHub by a user who discovered an unexpected Web3 wallet prompt while integrating lottie-player on their site. Further investigation revealed that versions 2.0.5, 2.0.6, and 2.0.7 of lottie-player, all released between 8:12 PM and 9:57 PM GMT on October 30, 2024, had been compromised. Attackers managed to inject the malicious code after gaining unauthorized access to a token associated with one of the library’s maintainers, Aidosmf. This allowed them to propagate the compromised versions through npm and major CDNs, affecting websites that sourced the latest release without a version lock.
The injected code displayed a fake Web3 wallet connection request, attempting to exploit visitors on affected sites, particularly those in the cryptocurrency sector. Notably, 1inch, a decentralized finance (DeFi) platform, confirmed that some users might have encountered phishing prompts. One victim has already reported losing a staggering 10 Bitcoin (worth approximately $723,436) to the malicious wallet connect attempt, according to Scam Sniffer.
After discovering the attack, the lottie-player team quickly published a clean version, 2.0.8, which developers can use to replace compromised files. Additionally, versions 2.0.5 through 2.0.7 were removed from npm and CDN providers such as unpkg and jsdelivr to contain the breach and limit exposure.
However, any website referencing compromised versions directly remains vulnerable unless updated to a secure version (2.0.4 or 2.0.8).
In the wake of this attack, security teams are urged to take the following steps:
- Audit Dependencies: Conduct a thorough audit to identify any projects relying on the compromised versions of lottie-player. Given the extensive usage of the library, this step is critical to safeguarding web assets and user information.
- Update or Revert: Promptly update to the safe version 2.0.8 or revert to the pre-compromised version 2.0.4. Websites still using compromised releases are encouraged to act immediately to prevent potential breaches.
- Implement Version Pinning: Avoid using the latest release version without specifying a secure and verified version. Pinning dependencies to specific, verified versions can mitigate the risk of automatic exposure to future supply chain attacks.
- Monitor for Anomalous Transactions: Given that at least one major loss has been reported, organizations should actively monitor user transactions for suspicious activity, particularly Web3 wallet connection prompts and signatures.
