Malicious Code Found in Lottie Web Player, Urgent Update Issued

LottieFiles, widely known for its animation rendering software and tools for designers and developers, disclosed a significant security incident involving its npm package, @lottiefiles/lottie-player.

Unauthorized versions, 2.0.5, 2.0.6, and 2.0.7, were published with malicious code, prompting the need for immediate updates. This compromised version specifically attempted to access users’ cryptocurrency wallets, posing a potential risk to a large user base.

LottieFiles is a platform offering tools and services for creating, editing, and distributing lightweight, scalable animations. It provides designers and developers with the @lottiefiles/lottie-player library, an open-source web player facilitating smooth animations across web applications. The player is particularly popular in the design and development communities for creating seamless, low-bandwidth animations.

The breach was identified on October 30, 2024, at around 6:20 PM UTC, when LottieFiles was notified of suspicious activity involving new releases of the Lottie Web Player on npm. These unauthorized versions were published over a short span, directly impacting users relying on third-party CDNs without version-pinning, as they automatically received the compromised update.

The breach was traced to an access token belonging to a developer with sufficient privileges, which was exploited to push the altered versions onto the platform. Upon detection, LottieFiles immediately enacted its incident response protocol to address the issue.

LottieFiles reported that the malicious versions included code designed to prompt users to connect to their cryptocurrency wallets. This malicious prompt could expose users to unauthorized wallet access attempts and digital asset theft.

As part of its immediate mitigation action, LottieFiles published a safe version 2.0.8, unpublished the malicious versions, and removed access tokens and accounts associated with the compromised developer.

For users who may have been impacted, LottieFiles recommends an urgent update to version 2.0.8, with SHA verification (sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ==) to confirm authenticity. For users unable to perform the update immediately, LottieFiles advises warning end-users against connecting their wallets to any prompts originating from the Lottie Web Player during this period.

To ensure thorough remediation, LottieFiles is working with an external incident response team to investigate the compromise’s full extent. The company has also reassured users that this incident does not affect other open-source libraries, their GitHub repositories, or LottieFiles’ primary SaaS offerings.