A targeted supply chain attack involving the widely used npm package @lottiefiles/lottie-player has been uncovered, highlighting vulnerabilities in software dependencies.
According to research published by ReversingLabs last week, malicious versions of the package were released earlier this year.
Key Details of the Incident
The @lottiefiles/lottie-player package was downloaded approximately 84,000 times weekly and is used to embed and play Lottie animations on websites.
While typically secure, malicious actors recently compromised the package by publishing three malicious versions – 2.0.5, 2.0.6 and 2.0.7 – via an unauthorized access token from a privileged developer account.
These malicious updates contained altered code that introduced pop-ups prompting users to connect their web3 wallets.
Upon connection, attackers gained access to drain victims’ crypto wallet assets. Developers quickly flagged the issue after noticing unusual behaviors on affected sites, prompting discussions across forums and GitHub.
Quick Response From Maintainers
LottieFiles responded promptly to the breach, working with npm to remove the malicious versions and publish a clean version based on the last secure release – version 2.0.4. Developers using the @latest dependency configuration received automatic updates, mitigating potential impacts.
Read more on supply chain security: CISA Urges Improvements in US Software Supply Chain Transparency
How the Compromise Was Detected
ReversingLabs researchers conducted a differential analysis between the secure 2.0.4 and the malicious 2.0.7 versions. This revealed significant changes, including:
-
Increased file size without functional justification
-
Introduction of URLs associated with Bitcoin exchanges
-
Removal of standard behaviors, like display enumeration
Their analysis also flagged threat-hunting policies that detected patterns similar to known software supply chain attacks, such as crypto-token detection.
Lessons For Developers
The attack underscores the importance of pinning dependencies to specific, vetted versions to avoid vulnerabilities in auto-updated packages. Regular security assessments of dependencies and build pipelines are also crucial to identify potential risks.
“In the case of the @lottiefiles/lottie-player, the supply chain compromise was detected quickly. However, that doesn’t mean that malicious actors couldn’t work in the future towards being even more secretive and better at hiding their malicious code,” ReversingLabs warned.
“That’s why it’s necessary for developers to conduct security assessments that can verify the integrity and quality of public, open source libraries for safety before they are used.”