On October 31st, 2024, LottieFiles, a popular platform for creating and sharing lightweight animations, revealed a serious security breach affecting its npm package. The LottieFiles npm supply chain attack involved malicious code injected into versions 2.0.5, 2.0.6, and 2.0.7 of its Lottie Web Player (“lottie-player”) package. The attack allowed threat actors to steal cryptocurrency from unsuspecting users.
The LottieFiles npm Supply Chain Attack: How it Happened
The malicious code, introduced yesterday, prompted users to connect their cryptocurrency wallets, enabling attackers to drain their digital assets. This npm supply chain attack exploited the popularity of the LottieFiles library, impacting users who integrated the compromised package via third-party Content Delivery Networks (CDNs) without specifying a pinned version.
As LottieFiles explains, “A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”
The Impact: Financial Losses and User Vulnerability
The consequences of this supply chain attack are severe. Blockchain threat monitoring platform Scam Sniffer reported at least one victim losing $723,000 worth of Bitcoin. While the exact number of victims and total cryptocurrency losses remain unknown, the incident underscores the significant financial risks associated with such attacks. The compromised code triggered a popup prompting users to connect their wallets, a clear indicator of malicious intent. The LottieFiles supply chain compromise serves as a stark reminder of the potential for significant financial damage from compromised software packages.
LottieFiles’ Response and Remediation
LottieFiles acted swiftly to mitigate the damage. They immediately released version 2.0.8, based on the clean 2.0.4 version, urging users to upgrade immediately. They also revoked access for the compromised developer account and associated tokens to prevent further malicious activity. The company assures users that its other open-source libraries, code repositories, and SaaS services remain unaffected.
“We have confirmed that our other open source libraries, open source code, Github repositories, and our SaaS were not affected,” LottieFiles stated in their announcement.
This swift response is commendable, yet the damage is already done for some users.
Lessons Learned: Preventing Future Supply Chain Attacks
This incident serves as a crucial reminder of the vulnerabilities inherent in software supply chains. The reliance on third-party libraries and CDNs necessitates stringent version control and security measures. Developers should always pin specific versions of dependencies to avoid automatically updating to potentially compromised versions. Furthermore, users should be vigilant about any unexpected requests to connect cryptocurrency wallets, especially when interacting with applications that utilize third-party libraries. This supply chain attack targeting users’ crypto should prompt a widespread review of security practices across the software development ecosystem.
LottieFiles is conducting an internal investigation with the help of external experts to fully understand the extent of the compromise and identify the perpetrators. Further details may emerge in the future. The LottieFiles npm supply chain attack underscores the growing threat of supply chain attacks targeting cryptocurrency users and highlights the need for enhanced security measures throughout the software development lifecycle. The impact of this supply chain attack extends beyond the immediate financial losses; it raises concerns about the trust and security of open-source software packages and the broader software ecosystem.
