LottieFiles Points Warning About Compromised

Oct 31, 2024Ravie LakshmananCryptocurrency / Software program Improvement

LottieFiles has revealed that its npm bundle “lottie-player” was compromised as a part of a provide chain assault, prompting it to launch an up to date model of the library.

“On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code,” the corporate mentioned in a press release on X. “This does not impact our dotlottie player and/or SaaS service.”

LottieFiles is an animation workflow platform that permits designers to create, edit, and share animations in a JSON-based animation file format known as Lottie. It is also the developer behind an npm bundle named lottie-player, which permits for embedding and taking part in Lottie animations on web sites.

Cybersecurity

In accordance with the corporate, “a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”

The malicious variations of the bundle contained code that prompted customers to attach their cryptocurrency wallets, with the doubtless purpose of draining their funds. Customers who’re on variations 2.0.5, 2.0.6, and a couple of.0.7 are really helpful to replace to 2.0.8.

“Versions 2.0.5, 2.0.6, 2.0.7 were published directly to https://npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges,” LottieFiles famous.

Moreover releasing a repair, the three rogue variations have been unpublished from the npm bundle repository. LottieFiles mentioned it has additionally activated its incident response plan and engaged an exterior incident response group to help with the investigation.

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.

Recent articles

North Korean Hackers Steal $10M with AI-Pushed Scams and Malware on LinkedIn

Nov 23, 2024Ravie LakshmananSynthetic Intelligence / Cryptocurrency The North Korea-linked...

Google Exposes GLASSBRIDGE: A Professional-China Affect Community of Pretend Information Websites

Nov 23, 2024Ravie LakshmananCloud Security / Risk Intelligence Authorities businesses...

China-Linked TAG-112 Targets Tibetan Media with Cobalt Strike Espionage Marketing campaign

Nov 22, 2024Ravie LakshmananCyber Espionage / Malware A China-linked nation-state...