LottieFiles / lottie-player

Lottie viewer/player as an easy to use web component! https://lottiefiles.com/web-player
MIT License
1.56k stars 180 forks source link

Malicious code in Lottie-Player CDN files #254

Closed MrAhmedSayedAli closed 3 weeks ago

MrAhmedSayedAli commented 3 weeks ago

after i use https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js or https://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.js

This popup opens on my site.

image

image

image

cassianogf commented 3 weeks ago

Up

franciscoaguilars commented 3 weeks ago

Up

bnt4 commented 3 weeks ago

Up

MrAhmedSayedAli commented 3 weeks ago

When i open google Dev Tools

image

bnt4 commented 3 weeks ago

You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally.

SergejKembel commented 3 weeks ago

npm versions of this lib got updated few minutes ago https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

There is malicious code in last 2 versions. I think the NPM token for deployment was leaked somehow

MrAhmedSayedAli commented 3 weeks ago

You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally.

image image

andres-frank commented 3 weeks ago

up

bnt4 commented 3 weeks ago

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

tomoconnor commented 3 weeks ago

image

MrAhmedSayedAli commented 3 weeks ago

https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.4/lottie-player.js Work Fine For Now

edelciomolina commented 3 weeks ago

Same here! If you search for 'Ethereum,' you'll see many references to cryptocurrency wallets.

https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js

I chose to stop using it! Fortunately, we didn’t rely on it much!

lukasnobody commented 3 weeks ago

Just switched to airbnb lib.

Lottiefiles, i'm sorry but you're just like an French TV channel with credentials on the wall)

lukasnobody commented 3 weeks ago

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

poozipotti commented 3 weeks ago

+1 here to this, this is the last time it seems the actual code in this repo was updated: https://github.com/LottieFiles/lottie-player/commit/8b37499efd627e7c622227f5862cb01c124a457b so 2.0.5 and 2.0.6 have code from ... somewhere?

could this commit also be related? This isn't really my area of expertise but if you look on beta there's a bunch of commits related to the secrets: https://github.com/LottieFiles/lottie-player/commits/beta

bnt4 commented 3 weeks ago

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

Yeah, looks like the virus was directly deployed to npm. Maybe some secret got stolen.

SergejKembel commented 3 weeks ago

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

image

At least at GitHub releases - but you can trigger a manual deployment to npm if you have the npm token so you have a npm release and no GitHub release associated with it

zarco-dev commented 3 weeks ago

image

I have the same error, malware?

alejandrotrevi commented 3 weeks ago

Same here, deleted from my site, never coming back

SergejKembel commented 3 weeks ago

image

I have the same error, malware?

No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue)

canelack commented 3 weeks ago

I was doing some TryHackMe rooms and they use this library, so this popup showed up 😂 A good reminder that @latest versions should be avoided in production to reduce the risk of supply chain attacks.

LuisReyes98 commented 3 weeks ago

2.0.4 looks safe for now

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>
zarco-dev commented 3 weeks ago

For a quick solution, what would be done? just delete these two scripts?

<script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script>
franciscoaguilars commented 3 weeks ago

For a quick solution, what would be done? just delete these two scripts?

<script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script>

You should remove it from your scripts and if you have a package.json also delete it.

alancesardasilvasouza commented 3 weeks ago

versaolottie

I went back to 2.0.4 everything is normal

baxtrax commented 3 weeks ago

To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website

lukasnobody commented 3 weeks ago

image I have the same error, malware?

No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue)

Have connected my wallet, something weird happening with balance. But hope LottieFiles have received this funds and soon will start a tender to buy KeePass.

ransome-psl commented 3 weeks ago

@zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>

zarco-dev commented 3 weeks ago

@zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>

Thanks!

poozipotti commented 3 weeks ago

It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?

johnfewell commented 3 weeks ago

It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?

Can you post a link to the code you're referring to? A compromised NPM key is the most likely explanation. I think the infected code was pushed pre-complied to NPM.

SergejKembel commented 3 weeks ago

To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website

This isn't an injected script if you include it in your HTML header as inline link JS from a CDN like unpkg.

The packagecode itself is infected with, there is no injection.

SergejKembel commented 3 weeks ago

It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?

Can you post a link to the code you're referring to? A compromised NPM key is the most likely explanation. I think the infected code was pushed pre-complied to NPM.

https://github.com/LottieFiles/lottie-player/commits/beta

johnfewell commented 3 weeks ago

Has anyone explored the server that the package tries to make a web socket connect to?

tgrassl commented 3 weeks ago

@SergejKembel A strict CSP would still help with this type of supply chain attack, as the CSP would prevent the injected script from e.g. connecting to unknown external APIs, such as api.web3modal.org in the current lottie-player case

PatchRequest commented 3 weeks ago

Has anyone explored the server that the package tries to make a web socket connect to?

castleservices01.com points to a cloudflare ip

lukasnobody commented 3 weeks ago

Has anyone explored the server that the package tries to make a web socket connect to?

castleservices01.com points to a cloudflare ip

https://gridinsoft.com/online-virus-scanner/url/zexelon-com

Just a typical Cryptoscam network)

Same address that ICANN gives about castleservices01.com.

charif-isl commented 3 weeks ago

Replace it with a known safe version from a trusted CDN:

<script src="https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.4/lottie-player.min.js"></script>

poozipotti commented 3 weeks ago

Could this code be related? It's very old but may be the culprit. I read through most of these commits and in the beta workflow for the npm jobs a token is echoed out, as well as a github token. Maybe it sat in the workflow logs for a while before someone scraped it or found it somehow? I haven't been able to find the specific deploy where it could have been leaked, but there are a few deleted logs in the deployment history on the repo. I'm not really a devops expert so I don't know what is typical here.

My best guess is there was a bunch going wrong with the npm job and the only way to test it was by deploying, and somewhere along the line a token got leaked. Someone with more experience in github workflows could probably find out for certain though.

main branch

c098e7c samuelOsborne Tue Jan 10 09:58:40 2023 +0100 fix: added release workflow 300d13a samuelOsborne Tue Jan 10 09:51:57 2023 +0100 fix: added release workflow 4aa05a3 samuelOsborne Wed Dec 7 11:11:56 2022 +0100 chore: removed relase file 0581409 samuelOsborne Tue Dec 6 15:32:50 2022 +0100 feat: added getVersions, updated lottie-web, updated release workflow

beta branch

c986799 samuelOsborne Tue Jan 10 15:17:06 2023 +0100 fix: npm job install fix 5181e20 samuelOsborne Tue Jan 10 14:57:39 2023 +0100 fix: npm job install fix 639e4eb samuelOsborne Tue Jan 10 14:51:36 2023 +0100 fix: npm job install fix e00fd44 samuelOsborne Tue Jan 10 14:29:37 2023 +0100 fix: npm job install fix 60b19e4 samuelOsborne Tue Jan 10 14:16:56 2023 +0100 fix: npm job install fix 1a4d4b2 samuelOsborne Tue Jan 10 14:06:18 2023 +0100 fix: npm job install fix d024272 samuelOsborne Tue Jan 10 13:55:54 2023 +0100 fix: npm job install fix 3b22f8b samuelOsborne Tue Jan 10 10:58:22 2023 +0100 fix: npm job install fix 8d3ca96 samuelOsborne Tue Jan 10 10:46:32 2023 +0100 fix: npm job install fix c098e7c samuelOsborne Tue Jan 10 09:58:40 2023 +0100 fix: added release workflow 300d13a samuelOsborne Tue Jan 10 09:51:57 2023 +0100 fix: added release workflow 4aa05a3 samuelOsborne Wed Dec 7 11:11:56 2022 +0100 chore: removed relase file 0581409 samuelOsborne Tue Dec 6 15:32:50 2022 +0100 feat: added getVersions, updated lottie-web, updated release workflow

LiorLindvor commented 3 weeks ago
image

It looks like it's coming from @Aidosmf Token.

nyxs commented 3 weeks ago

image

Version 2.0.7 is on its way

lukasnobody commented 3 weeks ago

image

tgrassl commented 3 weeks ago

Beware, 2.0.7 still contains the malicious code

lukasnobody commented 3 weeks ago

Beware, 2.0.7 still contains the malicious code

For real?

SergejKembel commented 3 weeks ago

image

Version 2.0.7 is on its way

Probably still infected - wouldn't use it for now.

tgrassl commented 3 weeks ago

@lukasnobody Yes, you can check the uploaded code in e.g. dist/lottie-player.js or here https://www.npmjs.com/package/@lottiefiles/lottie-player/v/2.0.7?activeTab=code

bplv112 commented 3 weeks ago

Looks like all the version after 2.0.1 is malicious, which makes sense as github only shows release till 2.0.1, all the other releases looks corrupt.

SergejKembel commented 3 weeks ago

image image

2.0.4 is 6.9MB and 2.0.7 is 9.74MB - nothing was fixed since 2.0.5, but rather URLs were adjusted

lukasnobody commented 3 weeks ago

@lukasnobody Yes, you can check the uploaded code in e.g. dist/lottie-player.js or here https://www.npmjs.com/package/@lottiefiles/lottie-player/v/2.0.7?activeTab=code

Sergej posted above. Can be easily determined by "Unpacked size". Infected size much bigger.

johnfewell commented 3 weeks ago

Are the hackers lurking this thread?