Analysis Summary

LottieFiles revealed that malicious malware in certain versions of its npm package asks users to link their Bitcoin wallets to empty them. Following several user reports of odd code injections, it was found that the impacted versions are Lottie Web Player ("lottie-player") 2.0.5, 2.0.6, and 2.0.7, all released recently.

Based on the clean 2.0.4, LottieFiles promptly launched a new version, 2.0.8, and encouraged users to update as soon as possible. The hacked version automatically served as the most recent release to many customers using the library through third-party CDNs without a pinned version. When the safe version was released, the fix would have been sent to those users automatically.

End users of Lottie-player should be informed of the danger and cautioned about fake cryptocurrency wallet connection requests by those who are unable to update to the most recent version. It's also possible to stick with version 2.0.4. Software-as-a-service (SaaS) platform LottieFiles allows users to create and share scalable, lightweight vector animations that can be used in websites and applications.

It is much-liked because it enables high-quality graphics with little effect on performance on mobile and online apps, as well as less capable devices. LottieFiles announced the supply chain compromise earlier, stating that it solely affects the npm package and not its SaaS services.

Threat actors can move digital assets to wallets under their control by using apps and websites that use a malicious version of the Lottie Web Player to prompt users to connect to their wallets. To stop the malicious activity, all access has been removed from the developer account that uploaded the altered versions of the npm package, and the related tokens have been revoked.

LottieFiles said, “We have confirmed that our other open source libraries, open source code, GitHub repositories, and our SaaS were not affected.”

With the assistance of outside specialists, the platform is still conducting an internal investigation into the compromise; further information regarding the incident may be released in the future. According to a report by a blockchain threat monitoring company, the LottieFiles supply chain breach has resulted in at least one victim losing $723,000. The precise number of victims and the total amount of cryptocurrencies lost to this scam are unknown as of now.

Impact

• Cryptocurrency Theft
• Exposure of Sensitive Data
• Unauthorized Access
• Financial Loss

Remediation

• Users should update to a new version 2.0.8 of LottieFiles as soon as possible.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.