LottieFiles recently disclosed that its npm package, lottie-player, fell victim to a supply chain attack, prompting the company to issue an updated version to address the breach.
The incident came to light on October 30, when the company was alerted that unauthorized versions of the package had been published with malicious code. LottieFiles clarified that this attack did not affect its dotlottie player or its Software as a Service (SaaS) offerings, but it raised alarms about the security of the widely used animation library. The lottie-player package enables developers to embed and play Lottie animations on websites, making it a valuable tool for web developers and designers.
Unfortunately, users who accessed the library through third-party Content Delivery Networks (CDNs) without a pinned version were automatically served the compromised versions as the latest release. The malicious versions, identified as 2.0.5, 2.0.6, and 2.0.7, contained code that attempted to connect users’ cryptocurrency wallets, potentially putting their funds at risk. LottieFiles acted quickly by advising users to update to the secure version 2.0.8 and removing the rogue versions from the npm package repository.
The company explained that these unauthorized versions were published within a short timeframe using a compromised access token from a developer with the necessary privileges. To ensure user safety and transparency, LottieFiles has engaged an external incident response team and activated its incident response plan to investigate the breach and prevent similar incidents in the future.
This incident underscores the vulnerabilities associated with supply chain attacks, particularly in the open-source ecosystem where malicious actors can exploit trust relationships. LottieFiles is not alone in facing such threats; the broader software development community must remain vigilant to safeguard against compromised libraries and packages that can jeopardize user security.
As the company continues its investigation, it aims to reinforce its security measures to protect users and maintain the integrity of its products.
Reference: