LottieFiles / lottie-player

Lottie viewer/player as an easy to use web component! https://lottiefiles.com/web-player
MIT License
1.56k stars 179 forks source link

Malicious code in Lottie-Player CDN files #254

Closed MrAhmedSayedAli closed 1 day ago

MrAhmedSayedAli commented 2 days ago

after i use https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js or https://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.js

This popup opens on my site.

image

image

image

cassianogf commented 2 days ago

Up

franciscoaguilars commented 2 days ago

Up

bnt4 commented 2 days ago

Up

MrAhmedSayedAli commented 2 days ago

When i open google Dev Tools

image

bnt4 commented 2 days ago

You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally.

SergejKembel commented 2 days ago

npm versions of this lib got updated few minutes ago https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

There is malicious code in last 2 versions. I think the NPM token for deployment was leaked somehow

MrAhmedSayedAli commented 2 days ago

You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally.

image image

andres-frank commented 2 days ago

up

bnt4 commented 2 days ago

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

tomoconnor commented 2 days ago

image

MrAhmedSayedAli commented 2 days ago

https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.4/lottie-player.js Work Fine For Now

edelciomolina commented 2 days ago

Same here! If you search for 'Ethereum,' you'll see many references to cryptocurrency wallets.

https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js

I chose to stop using it! Fortunately, we didn’t rely on it much!

lukasnobody commented 2 days ago

Just switched to airbnb lib.

Lottiefiles, i'm sorry but you're just like an French TV channel with credentials on the wall)

lukasnobody commented 2 days ago

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

poozipotti commented 2 days ago

+1 here to this, this is the last time it seems the actual code in this repo was updated: https://github.com/LottieFiles/lottie-player/commit/8b37499efd627e7c622227f5862cb01c124a457b so 2.0.5 and 2.0.6 have code from ... somewhere?

could this commit also be related? This isn't really my area of expertise but if you look on beta there's a bunch of commits related to the secrets: https://github.com/LottieFiles/lottie-player/commits/beta

bnt4 commented 2 days ago

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

Yeah, looks like the virus was directly deployed to npm. Maybe some secret got stolen.

SergejKembel commented 2 days ago

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

image

At least at GitHub releases - but you can trigger a manual deployment to npm if you have the npm token so you have a npm release and no GitHub release associated with it

zarco-dev commented 2 days ago

image

I have the same error, malware?

alejandrotrevi commented 2 days ago

Same here, deleted from my site, never coming back

SergejKembel commented 2 days ago

image

I have the same error, malware?

No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue)

canelack commented 2 days ago

I was doing some TryHackMe rooms and they use this library, so this popup showed up 😂 A good reminder that @latest versions should be avoided in production to reduce the risk of supply chain attacks.

LuisReyes98 commented 2 days ago

2.0.4 looks safe for now

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>
zarco-dev commented 2 days ago

For a quick solution, what would be done? just delete these two scripts?

<script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script>
franciscoaguilars commented 2 days ago

For a quick solution, what would be done? just delete these two scripts?

<script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script>

You should remove it from your scripts and if you have a package.json also delete it.

alancesardasilvasouza commented 2 days ago

versaolottie

I went back to 2.0.4 everything is normal

baxtrax commented 2 days ago

To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website

lukasnobody commented 2 days ago

image I have the same error, malware?

No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue)

Have connected my wallet, something weird happening with balance. But hope LottieFiles have received this funds and soon will start a tender to buy KeePass.

ransome-psl commented 2 days ago

@zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>

zarco-dev commented 2 days ago

@zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>

Thanks!

poozipotti commented 2 days ago

It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?

johnfewell commented 2 days ago

It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?

Can you post a link to the code you're referring to? A compromised NPM key is the most likely explanation. I think the infected code was pushed pre-complied to NPM.

SergejKembel commented 2 days ago

To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website

This isn't an injected script if you include it in your HTML header as inline link JS from a CDN like unpkg.

The packagecode itself is infected with, there is no injection.

SergejKembel commented 2 days ago

It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?

Can you post a link to the code you're referring to? A compromised NPM key is the most likely explanation. I think the infected code was pushed pre-complied to NPM.

https://github.com/LottieFiles/lottie-player/commits/beta

johnfewell commented 2 days ago

Has anyone explored the server that the package tries to make a web socket connect to?

tgrassl commented 2 days ago

@SergejKembel A strict CSP would still help with this type of supply chain attack, as the CSP would prevent the injected script from e.g. connecting to unknown external APIs, such as api.web3modal.org in the current lottie-player case

PatchRequest commented 2 days ago

Has anyone explored the server that the package tries to make a web socket connect to?

castleservices01.com points to a cloudflare ip

lukasnobody commented 2 days ago

Has anyone explored the server that the package tries to make a web socket connect to?

castleservices01.com points to a cloudflare ip

https://gridinsoft.com/online-virus-scanner/url/zexelon-com

Just a typical Cryptoscam network)

Same address that ICANN gives about castleservices01.com.

charif-isl commented 2 days ago

Replace it with a known safe version from a trusted CDN:

<script src="https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.4/lottie-player.min.js"></script>

poozipotti commented 2 days ago

Could this code be related? It's very old but may be the culprit. I read through most of these commits and in the beta workflow for the npm jobs a token is echoed out, as well as a github token. Maybe it sat in the workflow logs for a while before someone scraped it or found it somehow? I haven't been able to find the specific deploy where it could have been leaked, but there are a few deleted logs in the deployment history on the repo. I'm not really a devops expert so I don't know what is typical here.

My best guess is there was a bunch going wrong with the npm job and the only way to test it was by deploying, and somewhere along the line a token got leaked. Someone with more experience in github workflows could probably find out for certain though.

main branch

c098e7c samuelOsborne Tue Jan 10 09:58:40 2023 +0100 fix: added release workflow 300d13a samuelOsborne Tue Jan 10 09:51:57 2023 +0100 fix: added release workflow 4aa05a3 samuelOsborne Wed Dec 7 11:11:56 2022 +0100 chore: removed relase file 0581409 samuelOsborne Tue Dec 6 15:32:50 2022 +0100 feat: added getVersions, updated lottie-web, updated release workflow

beta branch

c986799 samuelOsborne Tue Jan 10 15:17:06 2023 +0100 fix: npm job install fix 5181e20 samuelOsborne Tue Jan 10 14:57:39 2023 +0100 fix: npm job install fix 639e4eb samuelOsborne Tue Jan 10 14:51:36 2023 +0100 fix: npm job install fix e00fd44 samuelOsborne Tue Jan 10 14:29:37 2023 +0100 fix: npm job install fix 60b19e4 samuelOsborne Tue Jan 10 14:16:56 2023 +0100 fix: npm job install fix 1a4d4b2 samuelOsborne Tue Jan 10 14:06:18 2023 +0100 fix: npm job install fix d024272 samuelOsborne Tue Jan 10 13:55:54 2023 +0100 fix: npm job install fix 3b22f8b samuelOsborne Tue Jan 10 10:58:22 2023 +0100 fix: npm job install fix 8d3ca96 samuelOsborne Tue Jan 10 10:46:32 2023 +0100 fix: npm job install fix c098e7c samuelOsborne Tue Jan 10 09:58:40 2023 +0100 fix: added release workflow 300d13a samuelOsborne Tue Jan 10 09:51:57 2023 +0100 fix: added release workflow 4aa05a3 samuelOsborne Wed Dec 7 11:11:56 2022 +0100 chore: removed relase file 0581409 samuelOsborne Tue Dec 6 15:32:50 2022 +0100 feat: added getVersions, updated lottie-web, updated release workflow

LiorLindvor commented 2 days ago
image

It looks like it's coming from @Aidosmf Token.

nyxs commented 2 days ago

image

Version 2.0.7 is on its way

lukasnobody commented 2 days ago

image

tgrassl commented 2 days ago

Beware, 2.0.7 still contains the malicious code

lukasnobody commented 2 days ago

Beware, 2.0.7 still contains the malicious code

For real?

SergejKembel commented 2 days ago

image

Version 2.0.7 is on its way

Probably still infected - wouldn't use it for now.

tgrassl commented 2 days ago

@lukasnobody Yes, you can check the uploaded code in e.g. dist/lottie-player.js or here https://www.npmjs.com/package/@lottiefiles/lottie-player/v/2.0.7?activeTab=code

bplv112 commented 2 days ago

Looks like all the version after 2.0.1 is malicious, which makes sense as github only shows release till 2.0.1, all the other releases looks corrupt.

SergejKembel commented 2 days ago

image image

2.0.4 is 6.9MB and 2.0.7 is 9.74MB - nothing was fixed since 2.0.5, but rather URLs were adjusted

lukasnobody commented 2 days ago

@lukasnobody Yes, you can check the uploaded code in e.g. dist/lottie-player.js or here https://www.npmjs.com/package/@lottiefiles/lottie-player/v/2.0.7?activeTab=code

Sergej posted above. Can be easily determined by "Unpacked size". Infected size much bigger.

johnfewell commented 2 days ago

Are the hackers lurking this thread?