Supply Chain Attack on lottie-player

Type

Campaign

Actors

❓Unknown

Pub. date

October 31, 2024

Initial access

Supply chain vector

Impact

Supply chain attack

Observed techniques

Supply Chain Compromise

Targeted technologies

Lottie-player

References

https://www.wiz.io/blog/lottie-player-supply-chain-attackhttps://x.com/galnagli/status/1851779972639363076

Status

Finalized

Last edited

Nov 3, 2024 2:03 PM

On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platforms and other high-traffic websites. The compromised versions of lottie-player were later removed from major CDNs and npm, but websites still using compromised versions of the library remain affected.

The incident was reported on GitHub, where a user noticed unexpected Web3 wallet connection prompts when integrating lottie-player on a website. At the time, malicious versions of the library were being sourced from one of two URLs (the first is no longer compromised):

https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js

https://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.js

Upon investigation, it was determined that malicious actors has gained access to a token owned by one of the library's maintainers (Aidosmf). This unauthorized access allowed them to inject malicious code into lottie-player versions 2.0.5, 2.0.6, and 2.0.7, which were published on npm between 8:12 PM and 9:57 PM GMT on October 30, 2024.

Upon visiting a website utilizing an affected version of the library, the injected code prompted the user to connect to their crypto wallets. A large number of users visiting websites using the library sourced from third-party CDNs without a pinned version were automatically served the compromised version as the latest release. For instance, 1inch trading platform was impacted by this, and they reported 1inch dApp users may have encountered a malicious wallet connect and signature request. After the incident was identified, a safe version was published (2.0.8), and those websites would have automatically been fixed.

In response, the affected versions were also removed from npm and major CDN providers to limit further exposure. However, any websites explicitly referencing the affected versions remain at risk until they update or revert to safe versions (2.0.4 or 2.0.8).