Malicious code in Lottie-Player CDN files

[MrAhmedSayedAli]

after i use https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js or https://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.js

This popup opens on my site.

[cassianogf]

Up

[franciscoaguilars]

Up

[bnt4]

Up

[MrAhmedSayedAli]

When i open google Dev Tools

[bnt4]

You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally.

[SergejKembel]

npm versions of this lib got updated few minutes ago https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

There is malicious code in last 2 versions. I think the NPM token for deployment was leaked somehow

[MrAhmedSayedAli]

You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally.

[andres-frank]

up

[bnt4]

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

[tomoconnor]

[MrAhmedSayedAli]

https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.4/lottie-player.js Work Fine For Now

[edelciomolina]

Same here! If you search for 'Ethereum,' you'll see many references to cryptocurrency wallets.

https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js

I chose to stop using it! Fortunately, we didn’t rely on it much!

[lukasnobody]

Just switched to airbnb lib.

Lottiefiles, i'm sorry but you're just like an French TV channel with credentials on the wall)

[lukasnobody]

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

[poozipotti]

+1 here to this, this is the last time it seems the actual code in this repo was updated: https://github.com/LottieFiles/lottie-player/commit/8b37499efd627e7c622227f5862cb01c124a457b so 2.0.5 and 2.0.6 have code from ... somewhere?

could this commit also be related? This isn't really my area of expertise but if you look on beta there's a bunch of commits related to the secrets: https://github.com/LottieFiles/lottie-player/commits/beta

[bnt4]

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

Yeah, looks like the virus was directly deployed to npm. Maybe some secret got stolen.

[SergejKembel]

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

At least at GitHub releases - but you can trigger a manual deployment to npm if you have the npm token so you have a npm release and no GitHub release associated with it

[zarco-dev]

I have the same error, malware?

[alejandrotrevi]

Same here, deleted from my site, never coming back

[SergejKembel]

I have the same error, malware?

No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue)

[canelack]

I was doing some TryHackMe rooms and they use this library, so this popup showed up 😂 A good reminder that @latest versions should be avoided in production to reduce the risk of supply chain attacks.

[LuisReyes98]

2.0.4 looks safe for now

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>

[zarco-dev]

For a quick solution, what would be done? just delete these two scripts?

<script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script>

[franciscoaguilars]

For a quick solution, what would be done? just delete these two scripts?

<script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script>

You should remove it from your scripts and if you have a package.json also delete it.

[alancesardasilvasouza]

I went back to 2.0.4 everything is normal

[baxtrax]

To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website

[lukasnobody]

I have the same error, malware?

No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue)

Have connected my wallet, something weird happening with balance. But hope LottieFiles have received this funds and soon will start a tender to buy KeePass.

[ransome-psl]

@zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>

[zarco-dev]

@zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>

Thanks!

[poozipotti]

It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?

[johnfewell]

It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?

Can you post a link to the code you're referring to? A compromised NPM key is the most likely explanation. I think the infected code was pushed pre-complied to NPM.

[SergejKembel]

To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website

This isn't an injected script if you include it in your HTML header as inline link JS from a CDN like unpkg.

The packagecode itself is infected with, there is no injection.

[SergejKembel]

It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?

Can you post a link to the code you're referring to? A compromised NPM key is the most likely explanation. I think the infected code was pushed pre-complied to NPM.

https://github.com/LottieFiles/lottie-player/commits/beta

[johnfewell]

Has anyone explored the server that the package tries to make a web socket connect to?

[tgrassl]

@SergejKembel A strict CSP would still help with this type of supply chain attack, as the CSP would prevent the injected script from e.g. connecting to unknown external APIs, such as api.web3modal.org in the current lottie-player case

[PatchRequest]

Has anyone explored the server that the package tries to make a web socket connect to?

castleservices01.com points to a cloudflare ip

[lukasnobody]

Has anyone explored the server that the package tries to make a web socket connect to?

castleservices01.com points to a cloudflare ip

https://gridinsoft.com/online-virus-scanner/url/zexelon-com

Just a typical Cryptoscam network)

Same address that ICANN gives about castleservices01.com.

[charif-isl]

Replace it with a known safe version from a trusted CDN:

<script src="https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.4/lottie-player.min.js"></script>

[poozipotti]

Could this code be related? It's very old but may be the culprit. I read through most of these commits and in the beta workflow for the npm jobs a token is echoed out, as well as a github token. Maybe it sat in the workflow logs for a while before someone scraped it or found it somehow? I haven't been able to find the specific deploy where it could have been leaked, but there are a few deleted logs in the deployment history on the repo. I'm not really a devops expert so I don't know what is typical here.

My best guess is there was a bunch going wrong with the npm job and the only way to test it was by deploying, and somewhere along the line a token got leaked. Someone with more experience in github workflows could probably find out for certain though.

main branch

c098e7c samuelOsborne Tue Jan 10 09:58:40 2023 +0100 fix: added release workflow 300d13a samuelOsborne Tue Jan 10 09:51:57 2023 +0100 fix: added release workflow 4aa05a3 samuelOsborne Wed Dec 7 11:11:56 2022 +0100 chore: removed relase file 0581409 samuelOsborne Tue Dec 6 15:32:50 2022 +0100 feat: added getVersions, updated lottie-web, updated release workflow

beta branch

c986799 samuelOsborne Tue Jan 10 15:17:06 2023 +0100 fix: npm job install fix 5181e20 samuelOsborne Tue Jan 10 14:57:39 2023 +0100 fix: npm job install fix 639e4eb samuelOsborne Tue Jan 10 14:51:36 2023 +0100 fix: npm job install fix e00fd44 samuelOsborne Tue Jan 10 14:29:37 2023 +0100 fix: npm job install fix 60b19e4 samuelOsborne Tue Jan 10 14:16:56 2023 +0100 fix: npm job install fix 1a4d4b2 samuelOsborne Tue Jan 10 14:06:18 2023 +0100 fix: npm job install fix d024272 samuelOsborne Tue Jan 10 13:55:54 2023 +0100 fix: npm job install fix 3b22f8b samuelOsborne Tue Jan 10 10:58:22 2023 +0100 fix: npm job install fix 8d3ca96 samuelOsborne Tue Jan 10 10:46:32 2023 +0100 fix: npm job install fix c098e7c samuelOsborne Tue Jan 10 09:58:40 2023 +0100 fix: added release workflow 300d13a samuelOsborne Tue Jan 10 09:51:57 2023 +0100 fix: added release workflow 4aa05a3 samuelOsborne Wed Dec 7 11:11:56 2022 +0100 chore: removed relase file 0581409 samuelOsborne Tue Dec 6 15:32:50 2022 +0100 feat: added getVersions, updated lottie-web, updated release workflow

[LiorLindvor]

It looks like it's coming from @Aidosmf Token.

[nyxs]

Version 2.0.7 is on its way

[lukasnobody]

[tgrassl]

Beware, 2.0.7 still contains the malicious code

[lukasnobody]

Beware, 2.0.7 still contains the malicious code

For real?

[SergejKembel]

Version 2.0.7 is on its way

Probably still infected - wouldn't use it for now.

[tgrassl]

@lukasnobody Yes, you can check the uploaded code in e.g. dist/lottie-player.js or here https://www.npmjs.com/package/@lottiefiles/lottie-player/v/2.0.7?activeTab=code

[bplv112]

Looks like all the version after 2.0.1 is malicious, which makes sense as github only shows release till 2.0.1, all the other releases looks corrupt.

[SergejKembel]

2.0.4 is 6.9MB and 2.0.7 is 9.74MB - nothing was fixed since 2.0.5, but rather URLs were adjusted

[lukasnobody]

@lukasnobody Yes, you can check the uploaded code in e.g. dist/lottie-player.js or here https://www.npmjs.com/package/@lottiefiles/lottie-player/v/2.0.7?activeTab=code

Sergej posted above. Can be easily determined by "Unpacked size". Infected size much bigger.

[johnfewell]

Are the hackers lurking this thread?