Closed MrAhmedSayedAli closed 1 day ago
SergejKembel
commented
2 days ago Looks like all the version after 2.0.1 is malicious, which makes sense as github only shows release till 2.0.1, all the other releases looks corrupt.
https://github.com/LottieFiles/lottie-player/commit/8b37499efd627e7c622227f5862cb01c124a457b
2.0.4 is a commit on master
bplv112
commented
2 days ago Oh looks like I stand corrected. 2.0.4 is the most recent safe version. It is weird that it was never released on github though.
PatchRequest
commented
2 days ago Are the hackers lurking this thread?
We are already on twitter :) https://x.com/CerastIntel/status/1851729392256311611
jawish
commented
2 days ago Thanks for reporting this! We are tackling this now.
Y8765
commented
2 days ago For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading.
bronthulke
commented
2 days ago For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading.
That won't help if you are using the "latest" version, though, right?
quarryman
commented
2 days ago For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading.
That won't help if you are using the "latest" version, though, right?
You can not use latest version with SRI
nyxs
commented
2 days ago I can conclude so far that:
It doesn't seem like the code sends money directly somewhere, but there is ABI encoding logic there.
Continue investigating.
gexly
commented
2 days ago For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading.
That won't help if you are using the "latest" version, though, right?
Latest version (2.0.5) from: https://cdnjs.com/libraries/lottie-player has SRI, but also malicious.
mason-rogers
commented
2 days ago I'd like to drop in and say that I've personally been receiving some phishing emails from fake npm domains, with invites to my own projects, as well as all of our staff members - and it's possible that's what happened here. I didn't click any links and so I'm not sure exactly what it does
nyxs
commented
2 days ago Who is "aidosmf aidosmf@gmail.com"? @jawish Do you know him? I saw it once in the npm info and his gone.
mason-rogers
commented
2 days ago quarryman
commented
2 days ago For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading.
That won't help if you are using the "latest" version, though, right?
Latest version (2.0.5) from: https://cdnjs.com/libraries/lottie-player has SRI, but also malicious.
You should have control over integrity hash on your side for it to work
nyxs
commented
2 days ago Yeah, but is he one of the owners here? I mistakenly tagged you instead of @jawish
nyxs
commented
2 days ago 2.0.7 is deprecated now, I guess it's @jawish
mason-rogers
commented
2 days ago Yeah, but is he one of the owners here? I mistakenly tagged you instead of @jawish
Nw - yeah he appears to be, he's in the LottieFiles org
jawish
commented
2 days ago We are still investigating but it seems like, as you folks have identified, @Aidosmf token was compromised.
The token was used to publish versions 2.0.5, 2.0.6, 2.0.7 in succession releases over 3 hours.
2.0.5 - pushed to npm at 8:12 PM GMT, 30 Oct 2024 2.0.6 - pushed to npm at 8:35 PM GMT, 30 Oct 2024 2.0.7 - pushed to npm at 9:57 PM GMT, 30 Oct 2024
We have removed the compromised account access and published a new 2.0.8 version that is a copy of the 2.0.4, for all those of you who are using the implicit latest tag via CDNs.
If you are using it by explicitly specifying the version and are using any of the affected versions, please change to 2.0.4 or 2.0.8. We have reached out to npm to help unpublish the affected versions as their web portal and CLI is not letting us unpublish the affected versions.
teamgroove
commented
2 days ago And what about the cdns? As long as they serve them, this is still a pandorras-box for eternity? The crap should be deleted and overwritten with a blank file or redirected to a valid one. It breaks the integrity, of course. Does our cdn-industry already have a solution to this in the semver-world they exisit in?
teamgroove
commented
2 days ago I realized i never thought about it, but the cdns then have a historicall trackrecord of every malware-breach. You can always go back and study malware, right?! Or reinfect. Hm.
jkobus
commented
2 days ago I created a copy of it for scientific purposes for anyone interested here: https://gist.github.com/jkobus/57f7a198c521237d980753d9025893b8
jawish
commented
2 days ago UPDATE:
The affected versions have now been removed from npmjs.com (2.0.5, 2.0.6, 2.0.7).
If you had once of these versions explicitly specified in package.json, please do bump to 2.0.8.
The new 2.0.8 release is being served on CDNs as the latest, that should fix the issue for many folks (but highly recommend using a fixed version as best practice). The compromised versions have been automatically removed from jsDeliver but not CDNjs.com so they are, currently, still accessible if accessed via the explicit version specifier.
NagliNagli
commented
2 days ago I've put up a Twitter recap and also Nuclei Template Detection for the specific versions above ^
https://x.com/galnagli/status/1851779972639363076
Template:
https://gist.github.com/NagliNagli/be5f4cb8be90a3c3985ef776b1b3dd73
reallynattu
commented
1 day ago Comm Date/Time: Oct 31st, 2024 04:00 AM UTC
Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees.
Immediate Mitigation Actions
Impact
Recommended Steps
Next Steps
If you believe you’re affected, don’t hesitate to reach out to us at priority_support@lottiefiles.com
xmflsct
commented
1 day ago UPDATE:
The affected versions have now been removed from npmjs.com (2.0.5, 2.0.6, 2.0.7).
If you had once of these versions explicitly specified in package.json, please do bump to 2.0.8.
The new 2.0.8 release is being served on CDNs as the latest, that should fix the issue for many folks (but highly recommend using a fixed version as best practice). The compromised versions have been automatically removed from jsDeliver but not CDNjs.com so they are, currently, still accessible if accessed via the explicit version specifier.
Quick update for whoever is watching this issue. CDNJS now redirects the affected versions to 2.0.8.
after i use
https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.jsorhttps://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.jsThis popup opens on my site.