he widespread NPM package deal @lottiefiles/lottie-player allows builders to seamlessly combine Lottie animations into web sites and purposes.
On October 30, the group reported existence of malicious code inside variations 2.0.5, 2.0.6, and a couple of.0.7 of the npm package deal.
The package deal maintainers replied and confirmed the attackers had been capable of take over the NPM package deal utilizing a leaked automation token which was used to automate publications of NPM packages.
The malicious code shows a UI overlay, asking to attach the crypto wallets by clicking or scanning a QR. By doing so, this forestall utilization of the contaminated web site
That is one more reminder on how delicate the software program provide chain is
Would MFA Have Prevented This?
Multifactor authentication is designed to problem people. There are three authentication components that can be utilized and 2FA requires two:
- one thing (like a password)
- one thing you may have (like a one-time-use token)
- one thing you’re (a biometric id like a fingerprint or a speech sample)
Going again two years in the past – NPM determined to implement 2FA on all customers. Nice transfer on NPM aspect as we witnessed many account takeover incidents occurring.
Sounds Nice, Doesn’t Work (?)
Whereas this does safe NPM account takeover assaults from the interactive login web page, imposing 2FA on all accounts comes with a side-effect:
- non-human identities can’t reply 2FA challenges.
So, whenever you outline an NPM automation token — whoever will get your long-auto generated password is ready to bypass your 2FA controls to make new model releases.
Again to @lottiefiles/lottie-player , even with 2FA configured, the menace actors by some means received the NPM automation token set within the CI/CD pipeline to automate model releases to publish the malicious variations 2.0.5, 2.0.6, and a couple of.0.7 of the npm package deal
The Malicious Code
All it does is displaying a UI overlay to steer the sufferer’s deal with connecting its crypto wallets to the malicious interface.
Demo Video
NPM Malicious Code
demo – https://youtu.be/8z60oet__H4
Conclusion
Kudus to the package deal maintainers for rapidly releasing an incident response report
Freeze your deps tightly. Don’t rush to replace to the newest if it’s not a safety replace and it’s a brand new launch.
Test and ensure you don’t have the malicious variations 2.0.5, 2.0.6, and 2.0.7 of lottie-player npm package deal.
The incident highlighted limitations of 2FA in automation environments, as automation tokens bypass these controls. This may occur to any main mission.
