On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player
, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platforms and other high-traffic websites. The compromised versions of lottie-player
were later removed from major CDNs and npm, but websites still using compromised versions of the library remain affected.
The incident was reported on GitHub, where a user noticed unexpected Web3 wallet connection prompts when integrating lottie-player
on a website. At the time, malicious versions of the library were being sourced from one of two URLs (the first is no longer compromised):
https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js
https://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.js
Upon investigation, it was determined that malicious actors has gained access to a token owned by one of the library's maintainers (Aidosmf). This unauthorized access allowed them to inject malicious code into lottie-player
versions 2.0.5
, 2.0.6
, and 2.0.7
, which were published on npm between 8:12 PM and 9:57 PM GMT on October 30, 2024.
Upon visiting a website utilizing an affected version of the library, the injected code prompted the user to connect to their crypto wallets. A large number of users visiting websites using the library sourced from third-party CDNs without a pinned version were automatically served the compromised version as the latest release. For instance, 1inch trading platform was impacted by this, and they reported 1inch dApp users may have encountered a malicious wallet connect and signature request. After the incident was identified, a safe version was published (2.0.8
), and those websites would have automatically been fixed.
In response, the affected versions were also removed from npm and major CDN providers to limit further exposure. However, any websites explicitly referencing the affected versions remain at risk until they update or revert to safe versions (2.0.4
or 2.0.8
).