A supply chain attack on the popular npm package Lottie Player has impacted many developers and businesses that depend on the package for embedding Lottie animations in their web applications. The attack has led to phishing attempts on cryptocurrency wallets, potentially resulting in significant financial losses for some users.
Here is a detailed timeline of the events surrounding the attack, along with context on the impact and recommendations for safeguarding against such threats.
In March 2024, version 2.0.4 of Lottie Player was released as the latest stable version on npm. Over the next several months, this version became a widely used and trusted tool for embedding Lottie animations, with 94,000 weekly downloads and over 4 million downloads in total. The library’s popularity stems from its functionality, allowing developers to easily add interactive animations to their web applications, elevating user experience without requiring complex coding.
For the next eight months, version 2.0.4 remained stable and no further updates were made, creating a consistent version history that users could rely on.
On November 9, 2024, three new versions of Lottie Player appeared on the npm registry: 2.0.5, 2.0.6, and 2.0.7. These versions contained malicious code designed to lure users into connecting their cryptocurrency wallets, which would then be drained of their financial assets. These updates were especially alarming, as they broke the pattern of stability and were introduced without any prior announcement from the maintainers at LottieFiles.
Malicious Popups Appear
Users who visited websites using the tainted versions were met with popups prompting them to “connect” their cryptocurrency wallets to the website. This pop-up mimicked the interfaces of legitimate cryptocurrency wallet services, listing popular platforms such as MetaMask, Exodus, and Coinbase as login options. Once users attempted to connect, the malicious code sought to gain access to their financial assets by authenticating their wallets without their full awareness.
These popups and prompts were particularly concerning, as legitimate Lottie Player versions are not designed to interact with or prompt for any blockchain services. The attack created an urgent situation for developers and end-users alike, raising questions about the security of using open-source libraries and unpinned versions in production environments.
Automatic Distribution via CDN
The compromised Lottie Player versions were distributed to websites via content delivery networks (CDNs)—an effective but risky way to deliver up-to-date library versions to multiple platforms. Many websites that used Lottie Player through CDN links without “pinning” the version (i.e., specifying a version number to prevent automatic updates) unwittingly pulled the latest, compromised versions (2.0.5–2.0.7), exposing users to the malicious code.
The key file, “lottie-player.js,” had been modified to include the malicious code. The file was minified, a process that removes whitespace and shortens variable names to reduce file size, making the code more challenging to read. Because previous legitimate versions also used minification, developers glancing over the file might not immediately detect the malicious changes embedded in these newer versions.
In response to mounting user reports and growing concerns, LottieFiles confirmed the attack on November 10. The company explained that threat actors had gained access to its npm account by compromising an access token from a developer who had the necessary privileges to publish new package versions. With this access, the attackers were able to release unauthorized versions containing code that would prompt users to connect their crypto wallets, facilitating phishing attempts and financial theft.
LottieFiles immediately removed the malicious versions (2.0.5, 2.0.6, and 2.0.7) from npm and released a new, safe version: 2.0.8. This updated version was essentially a re-release of the trusted 2.0.4, minus the malicious code. LottieFiles advised users to either upgrade to 2.0.8 or downgrade to version 2.0.4 to avoid security risks. They also cautioned users not to interact with any wallet prompts until they had installed the secure version, underscoring the importance of verifying their package source and content.
Scope of Impact
LottieFiles assured users that their dotlottie player, SaaS services, open-source libraries, GitHub repositories, and other tools were unaffected by this attack. However, the incident raised awareness about the vulnerability of the npm ecosystem to supply chain attacks, highlighting the importance of securing access tokens and other critical credentials.
While unconfirmed, reports from the web3 anti-scam platform Scam Sniffer suggested that the financial impact of this attack might be severe. Scam Sniffer indicated that at least one user may have lost 10 BTC (around $723,436) in a phishing transaction linked to the attack. This report underscores the devastating financial losses that can occur when malicious actors successfully manipulate widely used components within the software supply chain.
This incident serves as a reminder of the vulnerabilities that can arise from supply chain attacks, especially in widely-used open-source libraries. To mitigate similar risks, businesses and developers should take the following steps:
Users who incorporate open-source libraries, particularly through CDNs, should pin the versions they use. This practice prevents automatic updates to unvetted versions that may contain security vulnerabilities or malicious code.
Implementing a strict Content Security Policy (CSP) can limit the execution of unauthorized scripts from third-party sources, reducing the likelihood of malicious code injections on web applications.
Developers should stay updated with security releases and advisories for any open-source libraries they use. It is also critical to act swiftly in response to potential security issues by monitoring alerts and patches provided by project maintainers.
Supply chain attacks like these serve as a powerful reminder of the necessity for vigilance and securing every link in the software supply chain. Using a platform like Codenotary Trustcenter can greatly enhance your defense, offering real-time artifact tracking, vendor risk profiling, SBOM management, and VEX curation. It ensures that only trusted, verified components enter your ecosystem, allowing you to stay ahead of risks and meet compliance standards effectively.
This event highlights the potential consequences of supply chain attacks, the need for robust security practices in the open-source ecosystem, and better research into the right mitigation strategies.