LottieFiles supply chain attack exposes users to malicious crypto wallet drainer

LottieFiles is overcoming something of a Halloween fright after battling to regain control of a compromised developer account that was used to exploit users' crypto wallets.

Nattu Adnan, co-founder and CTO at LottieFiles – best known for its popular website animation plugin, LottiePlayer – confirmed on Thursday that a highly privileged developer had their account accessed via a stolen session token and attackers pushed malicious code to users.

He said that code appeared to be designed so that LottieFiles users would have their crypto wallets connected to the attacker's infrastructure, presumably to drain their assets.

Forum users were discussing their unusual findings when visiting sites that rely on LottiePlayer for animations. Upon visiting, they were served popups prompting them to connect their wallets.

The cybercriminal(s) behind the incident pushed three new versions of LottiePlayer (2.0.5, 2.0.6, 2.0.7) in the space of an hour to the npmjs package manager. They were the first changes to the project in two months.

Many of those whose websites were configured to use the latest version of LottiePlayer instead of a manually selected one had the malicious versions automatically served to users.

"On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," Adnan wrote on the project's GitHub.

"This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees."

He added that outside security experts were drafted in, the attacker was ejected, a safe version (2.0.8) was released, and the matter is considered resolved.

If for some reason a website admin isn't able to update to version 2.0.8 – a copy of the last safe version, 2.0.4, released in March – they're advised to communicate very clearly to customers that they should not be connecting their wallets when prompted.

"We have confirmed that our other open source libraries, open source code, GitHub repositories, and our SaaS were not affected."

• Socket plugs in $40M to strengthen software supply chain
• Critical hardcoded SolarWinds credential now exploited in the wild
• The fix for BGP's weaknesses has big, scary, issues of its own, boffins find
• Australian Police conducted supply chain attack on criminal collaborationware

Adnan didn't comment on the number of users affected by the incident, but to give a flavor of how popular LottiePlayer is, the project has 94,000 weekly downloads and has been downloaded more than 4 million times since its initial launch.

Again, the project hasn't officially confirmed this, but Web3 security platform Scam Sniffer spotted a transaction that it suggests shows one victim losing 10 Bitcoin ($722,508 at the time of writing) to the attack.

The incident is just the latest in a long line of noteworthy wallet-draining attacks over the past year. As recently as last month, we reported on a malicious Android app that drained victims' wallets of $70,000 in crypto assets, for example.

Be it through dodgy apps, supply chain attacks like the one that hit LottiePlayer, or exploiting the mechanics of smart contract-deployment opcode, cybercrooks are always looking for ways to make a quick buck.

Almost exactly a year ago, major crypto exchange Poloniex had $120 million in user assets drained from its reserves – an incident that occurred just days after the Monero Project was raided for just shy of half a million dollars. ®