Lottie player JS was compromised with a drainer. Check dependencies.

[andreujuanc]

AFFECTED VERSION DO NOT RUN THIS:

@lottiefiles/lottie-player@latest/dist/lottie-player.js DO NOT know if other CDNS are also affected.

UPDATE:

Looks like they lost their npm keys, and the actor pushed 2.0.5 and 2.0.6 with the drainer code. Github code showed nothing.

[mathieumack]

Yes I confirmed the issue my side. I've removed Lottie dependencies temporay on my websites.

Wallet popin visible after page loaded :

CDN reference used : https:// unpkg.com / @lottiefiles / lottie-player @ latest / dist / lottie-player.js

[tpriceshoppas]

can confirm, same issue

[cgarofalo]

Can also confirm, same issue on a different website.

[delmas-ch]

Confirmed also

[GiuliaCampos]

Same here

[lucasfsi]

Confirmed also

[kudanai]

Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7

Comm Date/Time: Oct 31st, 2024 04:00 AM UTC

Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees.

Immediate Mitigation Actions

• Published a new safe version (2.0.8)
• Unpublished the compromised package versions from npm
• Removed all access and associated tokens/services accounts of the impacted developer

Impact

• Versions 2.0.5, 2.0.6, 2.0.7 were published directly to http://npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges.

• The unauthorized versions contained code that prompted for connecting to user’s crypto wallets.

• A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix.

Recommended Steps

• If using 2.0.5, 2.0.6 and 2.0.7 versions please update to the latest version 2.0.8 -- SHA: sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ==

• If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets.

Next Steps

• LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise.

• We have confirmed that our other open source libraries, open source code, Github repositories, and our SaaS were not affected.

If you believe you’re affected, don’t hesitate to reach out to us at priority_support@lottiefiles.com

[maiconcarraro]

Is lottie-web compromised as well or only https://github.com/LottieFiles/lottie-player ?

[kudanai]

lottie-web is unaffected. Only the lottie-player package.

The situation has been resolved and we have taken short terms measures to ensure security, as well as started the process of implementing tooling and controls to prevent this in the future.

You can check out our incident report here https://x.com/LottieFiles/status/1851848602093777273