LottieFiles recently disclosed a security breach that could compromise users’ crypto wallets and potentially lead to asset theft. The platform, known for enabling designers and developers to create animations, identified a supply chain compromise in its npm package that could expose users to malicious code.
According to a Twitter post by LottieFiles on October 31, the affected versions of Lottie Web Player, namely 2.0.5, 2.0.6, and 2.0.7, were released on October 30. Following reports of strange code injections from multiple users, LottieFiles swiftly responded by releasing a new version, 2.0.8, to revert to secure code and mitigate the threat.
The compromised npm package could prompt users to connect their crypto wallets unknowingly, potentially leading to theft of assets. LottieFiles advised users to update to the latest secure version or remain on version 2.0.4 to avoid the risk associated with fraudulent wallet connection prompts.
In response to the breach, LottieFiles took immediate action by revoking access to the developer account responsible for the malicious uploads and invalidating related tokens to prevent any further unauthorized activity. However, the full extent of the attack is still being investigated.
Users who are unable to update their Lottie Web Player are urged to educate end users about the potential risks associated with the compromised npm package. By raising awareness about the issue, users can take precautions to safeguard their crypto assets and prevent unauthorized access to their wallets.
LottieFiles remains committed to ensuring the security and integrity of its platform and is working diligently to address any vulnerabilities and prevent future incidents. By staying vigilant and proactive in addressing security threats, LottieFiles aims to protect its users and maintain a safe environment for creating and sharing animations.