-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lottie player JS was compromised with a drainer. Check dependencies. #3127
Comments
Yes I confirmed the issue my side. Wallet popin visible after page loaded : CDN reference used : https:// unpkg.com / @LottieFiles / lottie-player @ latest / dist / lottie-player.js |
can confirm, same issue |
Can also confirm, same issue on a different website. |
Confirmed also |
Same here |
Confirmed also |
Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7 Comm Date/Time: Oct 31st, 2024 04:00 AM UTC Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees. Immediate Mitigation Actions
Impact
Recommended Steps
Next Steps
If you believe you’re affected, don’t hesitate to reach out to us at [email protected] |
Is |
The situation has been resolved and we have taken short terms measures to ensure security, as well as started the process of implementing tooling and controls to prevent this in the future. You can check out our incident report here https://x.com/LottieFiles/status/1851848602093777273 |
AFFECTED VERSION DO NOT RUN THIS:
@lottiefiles/lottie-player@latest/dist/lottie-player.js
DO NOT know if other CDNS are also affected.
UPDATE:
Looks like they lost their npm keys, and the actor pushed 2.0.5 and 2.0.6 with the drainer code. Github code showed nothing.
The text was updated successfully, but these errors were encountered: