LottieFiles has revealed that its npm bundle “lottie-player” was compromised as a part of a provide chain assault, prompting it to launch an up to date model of the library.
“On October thirtieth ~6:20 PM UTC – LottieFiles had been notified that our fashionable open supply npm bundle for the net participant @lottiefiles/lottie-player had unauthorized new variations pushed with malicious code,” the corporate stated in a press release on X. “This doesn’t influence our dotlottie participant and/or SaaS service.”
LottieFiles is an animation workflow platform that allows designers to create, edit, and share animations in a JSON-based animation file format referred to as Lottie. It is also the developer behind an npm bundle named lottie-player, which permits for embedding and taking part in Lottie animations on web sites.
Based on the corporate, “numerous customers utilizing the library by way of third-party CDNs with out a pinned model had been mechanically served the compromised model as the most recent launch.”
The malicious variations of the bundle contained code that prompted customers to attach their cryptocurrency wallets, with the probably objective of draining their funds. Customers who’re on variations 2.0.5, 2.0.6, and a pair of.0.7 are really useful to replace to 2.0.8.
“Variations 2.0.5, 2.0.6, 2.0.7 had been printed on to https://npmjs.com over the course of an hour utilizing a compromised entry token from a developer with the required privileges,” LottieFiles famous.
Apart from releasing a repair, the three rogue variations have been unpublished from the npm bundle repository. LottieFiles stated it has additionally activated its incident response plan and engaged an exterior incident response workforce to help with the investigation.
