LottieFiles Warns of Security Breach in npm Package, Potential Crypto Wallet Risk

LottieFiles, a platform renowned for enabling designers and developers to create animations, has issued an urgent warning regarding a security breach involving its npm package. The compromised package may expose users to malicious code designed to compromise crypto wallets, potentially leading to asset theft.

Incident Response for Infected Lottie-Player Versions

Comm Date/Time: Oct 31st, 2024, 04:00 AM UTC
Incident: On October 30th at approximately 6:20 PM UTC, LottieFiles was notified about a security issue with its popular open-source npm package for the web player @lottiefiles/lottie-player.

In an update on October 31st, LottieFiles confirmed that the affected versionsβ€”Lottie Web Player 2.0.5, 2.0.6, and 2.0.7β€”were released on October 30th. Immediate concerns arose after multiple user reports about unusual code injections. In response, LottieFiles released a new version, 2.0.8, which reverts to a secure code base.

“A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”

Recommended Actions for Users

For those unable to update immediately, LottieFiles recommends informing end users about potential fraudulent wallet connection prompts associated with the Lottie-player. Users may also opt to remain on version 2.0.4 to avoid risk.

  • Update to version 2.0.8 immediately to secure your application.
  • Inform end users about potential risks of fraudulent wallet connection prompts.
  • Revert to version 2.0.4 if updating is not possible at the moment.

Security Measures Taken by LottieFiles

LottieFiles warned that applications using the compromised npm package might inadvertently prompt users to connect their crypto wallets, creating opportunities for potential theft. The developer account linked to the malicious uploads has been stripped of access, and related tokens have been revoked to prevent any further unauthorized activity. However, the full extent of the attack remains unknown.

Stay informed and vigilant about the latest developments in cryptocurrency and finance to protect your assets. For more news and updates, visit Global Crypto News.

#PeerToPeer #AI