cassianogf
commented
3 weeks ago Up
Closed MrAhmedSayedAli closed 3 weeks ago
cassianogf
commented
3 weeks ago Up
franciscoaguilars
commented
3 weeks ago Up
bnt4
commented
3 weeks ago Up
MrAhmedSayedAli
commented
3 weeks ago When i open google Dev Tools
bnt4
commented
3 weeks ago You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally.
SergejKembel
commented
3 weeks ago npm versions of this lib got updated few minutes ago https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions
There is malicious code in last 2 versions. I think the NPM token for deployment was leaked somehow
MrAhmedSayedAli
commented
3 weeks ago You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally.
andres-frank
commented
3 weeks ago up
bnt4
commented
3 weeks ago npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions
as @SergejKembel said, virus seems to be in version 2.0.5 and higher.
tomoconnor
commented
3 weeks ago MrAhmedSayedAli
commented
3 weeks ago https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.4/lottie-player.js Work Fine For Now
edelciomolina
commented
3 weeks ago Same here! If you search for 'Ethereum,' you'll see many references to cryptocurrency wallets.
https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.jsI chose to stop using it! Fortunately, we didn’t rely on it much!
lukasnobody
commented
3 weeks ago Just switched to airbnb lib.
Lottiefiles, i'm sorry but you're just like an French TV channel with credentials on the wall)
lukasnobody
commented
3 weeks ago npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions
as @SergejKembel said, virus seems to be in version 2.0.5 and higher.
There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...
poozipotti
commented
3 weeks ago +1 here to this, this is the last time it seems the actual code in this repo was updated: https://github.com/LottieFiles/lottie-player/commit/8b37499efd627e7c622227f5862cb01c124a457b so 2.0.5 and 2.0.6 have code from ... somewhere?
could this commit also be related? This isn't really my area of expertise but if you look on beta there's a bunch of commits related to the secrets: https://github.com/LottieFiles/lottie-player/commits/beta
bnt4
commented
3 weeks ago npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions as @SergejKembel said, virus seems to be in version 2.0.5 and higher.
There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...
Yeah, looks like the virus was directly deployed to npm. Maybe some secret got stolen.
SergejKembel
commented
3 weeks ago There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...
At least at GitHub releases - but you can trigger a manual deployment to npm if you have the npm token so you have a npm release and no GitHub release associated with it
zarco-dev
commented
3 weeks ago I have the same error, malware?
alejandrotrevi
commented
3 weeks ago Same here, deleted from my site, never coming back
SergejKembel
commented
3 weeks ago
I have the same error, malware?
No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue)
canelack
commented
3 weeks ago I was doing some TryHackMe rooms and they use this library, so this popup showed up 😂
A good reminder that @latest versions should be avoided in production to reduce the risk of supply chain attacks.
LuisReyes98
commented
3 weeks ago 2.0.4 looks safe for now
<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>For a quick solution, what would be done? just delete these two scripts?
<script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script>For a quick solution, what would be done? just delete these two scripts?
<script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script> <script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script>
You should remove it from your scripts and if you have a package.json also delete it.
alancesardasilvasouza
commented
3 weeks ago I went back to 2.0.4 everything is normal
baxtrax
commented
3 weeks ago To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website
lukasnobody
commented
3 weeks ago
I have the same error, malware?
No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue)
Have connected my wallet, something weird happening with balance. But hope LottieFiles have received this funds and soon will start a tender to buy KeePass.
ransome-psl
commented
3 weeks ago @zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests
<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>
zarco-dev
commented
3 weeks ago @zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests
<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>
Thanks!
poozipotti
commented
3 weeks ago It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?
johnfewell
commented
3 weeks ago It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?
Can you post a link to the code you're referring to? A compromised NPM key is the most likely explanation. I think the infected code was pushed pre-complied to NPM.
SergejKembel
commented
3 weeks ago To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website
This isn't an injected script if you include it in your HTML header as inline link JS from a CDN like unpkg.
The packagecode itself is infected with, there is no injection.
SergejKembel
commented
3 weeks ago It looks like a bunch of changes to the github release workflow happened from Dec. 6 to Jan 10. Wondering if it's the source of the leak?
Can you post a link to the code you're referring to? A compromised NPM key is the most likely explanation. I think the infected code was pushed pre-complied to NPM.
johnfewell
commented
3 weeks ago Has anyone explored the server that the package tries to make a web socket connect to?
tgrassl
commented
3 weeks ago @SergejKembel A strict CSP would still help with this type of supply chain attack, as the CSP would prevent the injected script from e.g. connecting to unknown external APIs, such as api.web3modal.org in the current lottie-player case
PatchRequest
commented
3 weeks ago Has anyone explored the server that the package tries to make a web socket connect to?
castleservices01.com points to a cloudflare ip
lukasnobody
commented
3 weeks ago Has anyone explored the server that the package tries to make a web socket connect to?
castleservices01.com points to a cloudflare ip
https://gridinsoft.com/online-virus-scanner/url/zexelon-com
Just a typical Cryptoscam network)
Same address that ICANN gives about castleservices01.com.
charif-isl
commented
3 weeks ago Replace it with a known safe version from a trusted CDN:
<script src="https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.4/lottie-player.min.js"></script>
poozipotti
commented
3 weeks ago Could this code be related? It's very old but may be the culprit. I read through most of these commits and in the beta workflow for the npm jobs a token is echoed out, as well as a github token. Maybe it sat in the workflow logs for a while before someone scraped it or found it somehow? I haven't been able to find the specific deploy where it could have been leaked, but there are a few deleted logs in the deployment history on the repo. I'm not really a devops expert so I don't know what is typical here.
My best guess is there was a bunch going wrong with the npm job and the only way to test it was by deploying, and somewhere along the line a token got leaked. Someone with more experience in github workflows could probably find out for certain though.
main branch
c098e7c samuelOsborne Tue Jan 10 09:58:40 2023 +0100 fix: added release workflow 300d13a samuelOsborne Tue Jan 10 09:51:57 2023 +0100 fix: added release workflow 4aa05a3 samuelOsborne Wed Dec 7 11:11:56 2022 +0100 chore: removed relase file 0581409 samuelOsborne Tue Dec 6 15:32:50 2022 +0100 feat: added getVersions, updated lottie-web, updated release workflow
beta branch
c986799 samuelOsborne Tue Jan 10 15:17:06 2023 +0100 fix: npm job install fix 5181e20 samuelOsborne Tue Jan 10 14:57:39 2023 +0100 fix: npm job install fix 639e4eb samuelOsborne Tue Jan 10 14:51:36 2023 +0100 fix: npm job install fix e00fd44 samuelOsborne Tue Jan 10 14:29:37 2023 +0100 fix: npm job install fix 60b19e4 samuelOsborne Tue Jan 10 14:16:56 2023 +0100 fix: npm job install fix 1a4d4b2 samuelOsborne Tue Jan 10 14:06:18 2023 +0100 fix: npm job install fix d024272 samuelOsborne Tue Jan 10 13:55:54 2023 +0100 fix: npm job install fix 3b22f8b samuelOsborne Tue Jan 10 10:58:22 2023 +0100 fix: npm job install fix 8d3ca96 samuelOsborne Tue Jan 10 10:46:32 2023 +0100 fix: npm job install fix c098e7c samuelOsborne Tue Jan 10 09:58:40 2023 +0100 fix: added release workflow 300d13a samuelOsborne Tue Jan 10 09:51:57 2023 +0100 fix: added release workflow 4aa05a3 samuelOsborne Wed Dec 7 11:11:56 2022 +0100 chore: removed relase file 0581409 samuelOsborne Tue Dec 6 15:32:50 2022 +0100 feat: added getVersions, updated lottie-web, updated release workflow
LiorLindvor
commented
3 weeks ago It looks like it's coming from @Aidosmf Token.
nyxs
commented
3 weeks ago Version 2.0.7 is on its way
lukasnobody
commented
3 weeks ago tgrassl
commented
3 weeks ago Beware, 2.0.7 still contains the malicious code
lukasnobody
commented
3 weeks ago Beware, 2.0.7 still contains the malicious code
For real?
SergejKembel
commented
3 weeks ago
Version 2.0.7 is on its way
Probably still infected - wouldn't use it for now.
tgrassl
commented
3 weeks ago @lukasnobody Yes, you can check the uploaded code in e.g. dist/lottie-player.js or here https://www.npmjs.com/package/@lottiefiles/lottie-player/v/2.0.7?activeTab=code
bplv112
commented
3 weeks ago Looks like all the version after 2.0.1 is malicious, which makes sense as github only shows release till 2.0.1, all the other releases looks corrupt.
SergejKembel
commented
3 weeks ago
2.0.4 is 6.9MB and 2.0.7 is 9.74MB - nothing was fixed since 2.0.5, but rather URLs were adjusted
lukasnobody
commented
3 weeks ago @lukasnobody Yes, you can check the uploaded code in e.g. dist/lottie-player.js or here https://www.npmjs.com/package/@lottiefiles/lottie-player/v/2.0.7?activeTab=code
Sergej posted above. Can be easily determined by "Unpacked size". Infected size much bigger.
johnfewell
commented
3 weeks ago Are the hackers lurking this thread?
after i use
https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.jsorhttps://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.jsThis popup opens on my site.