A recent supply chain attack on the npm package @lottiefiles/lottie-player has brought to light the vulnerabilities that can arise from software dependencies. This incident, uncovered by ReversingLabs, involved the release of malicious versions of the package earlier this year.
The @lottiefiles/lottie-player package is widely used, with approximately 84,000 weekly downloads. It is utilized to embed and play Lottie animations on websites. However, malicious actors were able to compromise the package by releasing unauthorized versions – 2.0.5, 2.0.6, and 2.0.7 – via a privileged developer account. These malicious updates contained altered code that prompted users to connect their web3 wallets, allowing attackers to access and drain victims’ crypto wallet assets.
Fortunately, developers quickly noticed unusual behaviors on affected sites and raised the alarm, leading to discussions on forums and GitHub. LottieFiles responded promptly by working with npm to remove the malicious versions and release a clean version based on the last secure release – version 2.0.4. Automatic updates were provided to developers using the @latest dependency configuration, helping to mitigate potential impacts.
ReversingLabs researchers played a crucial role in detecting the compromise by conducting a differential analysis between the secure version 2.0.4 and the malicious version 2.0.7. This analysis revealed significant changes, such as an increased file size without justification, introduction of URLs linked to Bitcoin exchanges, and the removal of standard behaviors like display enumeration. Threat-hunting policies were also employed to detect patterns resembling known software supply chain attacks.
This incident serves as a reminder to developers about the importance of pinning dependencies to specific, vetted versions to prevent vulnerabilities in auto-updated packages. Regular security assessments of dependencies and build pipelines are essential to identify potential risks. ReversingLabs emphasized the need for developers to conduct thorough security assessments to verify the integrity and quality of public, open-source libraries before integrating them into their projects.
In conclusion, while the @lottiefiles/lottie-player supply chain compromise was swiftly addressed, developers must remain vigilant and proactive in safeguarding their software supply chain against potential threats. Stay informed, stay secure.