Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lottie player JS was compromised with a drainer. Check dependencies. #3127

Open
andreujuanc opened this issue Oct 30, 2024 · 9 comments
Open

Comments

@andreujuanc
Copy link

andreujuanc commented Oct 30, 2024

AFFECTED VERSION DO NOT RUN THIS:

@lottiefiles/lottie-player@latest/dist/lottie-player.js
DO NOT know if other CDNS are also affected.

UPDATE:

Looks like they lost their npm keys, and the actor pushed 2.0.5 and 2.0.6 with the drainer code. Github code showed nothing.

@mathieumack
Copy link

mathieumack commented Oct 30, 2024

Yes I confirmed the issue my side.
I've removed Lottie dependencies temporay on my websites.

Wallet popin visible after page loaded :
image

CDN reference used : https:// unpkg.com / @LottieFiles / lottie-player @ latest / dist / lottie-player.js

@tpriceshoppas
Copy link

can confirm, same issue

@cgarofalo
Copy link

Can also confirm, same issue on a different website.

@delmas-ch
Copy link

Confirmed also

@GiuliaCampos
Copy link

Same here

@lucasfsi
Copy link

Confirmed also

@kudanai
Copy link
Collaborator

kudanai commented Oct 31, 2024

Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7

Comm Date/Time: Oct 31st, 2024 04:00 AM UTC

Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees.

Immediate Mitigation Actions

  • Published a new safe version (2.0.8)
  • Unpublished the compromised package versions from npm
  • Removed all access and associated tokens/services accounts of the impacted developer

Impact

  • Versions 2.0.5, 2.0.6, 2.0.7 were published directly to http://npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges.

  • The unauthorized versions contained code that prompted for connecting to user’s crypto wallets.

  • A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix.

Recommended Steps

  • If using 2.0.5, 2.0.6 and 2.0.7 versions please update to the latest version 2.0.8
    -- SHA: sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ==

  • If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets.

Next Steps

  • LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise.

  • We have confirmed that our other open source libraries, open source code, Github repositories, and our SaaS were not affected.

If you believe you’re affected, don’t hesitate to reach out to us at [email protected]

@maiconcarraro
Copy link

Is lottie-web compromised as well or only https://github.com/LottieFiles/lottie-player ?

@kudanai
Copy link
Collaborator

kudanai commented Nov 1, 2024

lottie-web is unaffected. Only the lottie-player package.

The situation has been resolved and we have taken short terms measures to ensure security, as well as started the process of implementing tooling and controls to prevent this in the future.

You can check out our incident report here https://x.com/LottieFiles/status/1851848602093777273

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants