web analytics

npm Package Lottie-Player Compromised in Supply Chain Attack – Source: www.infosecurity-magazine.com

Rate this post

Source: www.infosecurity-magazine.com – Author:

A targeted supply chain attack involving the widely used npm package @lottiefiles/lottie-player has been uncovered, highlighting vulnerabilities in software dependencies.

According to research published by ReversingLabs last week, malicious versions of the package were released earlier this year.

Key Details of the Incident

The @lottiefiles/lottie-player package was downloaded approximately 84,000 times weekly and is used to embed and play Lottie animations on websites.

While typically secure, malicious actors recently compromised the package by publishing three malicious versions – 2.0.5, 2.0.6 and 2.0.7 – via an unauthorized access token from a privileged developer account.

These malicious updates contained altered code that introduced pop-ups prompting users to connect their web3 wallets.

Upon connection, attackers gained access to drain victims’ crypto wallet assets. Developers quickly flagged the issue after noticing unusual behaviors on affected sites, prompting discussions across forums and GitHub.

Quick Response From Maintainers

LottieFiles responded promptly to the breach, working with npm to remove the malicious versions and publish a clean version based on the last secure release – version 2.0.4. Developers using the @latest dependency configuration received automatic updates, mitigating potential impacts.

Read more on supply chain security: CISA Urges Improvements in US Software Supply Chain Transparency

How the Compromise Was Detected

ReversingLabs researchers conducted a differential analysis between the secure 2.0.4 and the malicious 2.0.7 versions. This revealed significant changes, including:

  • Increased file size without functional justification

  • Introduction of URLs associated with Bitcoin exchanges

  • Removal of standard behaviors, like display enumeration

Their analysis also flagged threat-hunting policies that detected patterns similar to known software supply chain attacks, such as crypto-token detection.

Lessons For Developers

The attack underscores the importance of pinning dependencies to specific, vetted versions to avoid vulnerabilities in auto-updated packages. Regular security assessments of dependencies and build pipelines are also crucial to identify potential risks.

“In the case of the @lottiefiles/lottie-player, the supply chain compromise was detected quickly. However, that doesn’t mean that malicious actors couldn’t work in the future towards being even more secretive and better at hiding their malicious code,” ReversingLabs warned.

“That’s why it’s necessary for developers to conduct security assessments that can verify the integrity and quality of public, open source libraries for safety before they are used.”

Original Post URL: https://www.infosecurity-magazine.com/news/npm-package-lottieplayer-supply/

Category & Tags: –

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post