Full Report
Supply chain attack in popular lottie-player library compromises websites with malicious Web3 wallet prompts – update or revert the library to avoid the compromised versions.
Analysis Summary
# Incident Report: Supply Chain Attack on lottie-player Library
## Executive Summary
A supply chain attack compromised the popular JavaScript library `lottie-player` on October 30, 2024, by injecting malicious code while attackers controlled a maintainer's token. This compromised code, available in versions 2.0.5 through 2.0.7, served users unauthorized Web3 wallet connection prompts aiming to drain cryptocurrency assets, exemplified by impact on platforms like 1inch. The incident was mitigated by patching and removing affected versions, but residual risk remains for sites not pinning dependencies.
## Incident Details
- Discovery Date: October 30, 2024 (Reported via GitHub)
- Incident Date: October 30, 2024 (Between 8:12 PM and 9:57 PM GMT)
- Affected Organization: LottieFiles (creator of `lottie-player`)
- Sector: Software Development / Open Source Libraries (JavaScript)
- Geography: Not specified (Global impact due to CDN distribution)
## Timeline of Events
### Initial Access
- Date/Time: Prior to publication on October 30, 2024 (8:12 PM GMT)
- Vector: Compromise of a maintainer's access token (Supply Chain)
- Details: Attackers gained unauthorized access to a token owned by maintainer 'Aidosmf', allowing them to publish malicious updates to npm.
### Lateral Movement
* Not applicable/Not detailed in the context. The attack was direct injection into the source code repository/publishing process.
### Data Exfiltration/Impact
- [Data Exfiltration/Impact]: Malicious code prompted users visiting affected websites to connect to their Web3 wallets, leading to the potential theft of cryptocurrency assets (e.g., one confirmed loss of 10 Bitcoin).
### Detection & Response
- [Detection]: User reported unexpected Web3 wallet connection prompts on GitHub when integrating the library.
- [Response actions taken]: Safe version `2.0.8` was published. Affected versions (`2.0.5`, `2.0.6`, `2.0.7`) were removed from npm and major CDNs.
## Attack Methodology
- Initial Access: Compromise of a maintainer's token granting publishing rights.
- Persistence: Not explicitly detailed, assumed limited to the time the malicious versions were published as latest releases.
- Privilege Escalation: Not applicable; direct injection via compromised publishing rights.
- Defense Evasion: Leveraging the trust inherent in a widely used, legitimate open-source dependency distributed via CDNs.
- Credential Access: N/A (Focus was on user crypto wallet credentials/keys via phishing prompts).
- Discovery: N/A (Attacker initiated the payload distribution).
- Lateral Movement: N/A (Attack targeted end-users of the library).
- Collection: N/A (Directly aimed at harvesting wallet connection signatures/approvals).
- Exfiltration: Crypto assets stolen via malicious wallet prompts.
- Impact: Financial loss via cryptocurrency theft from end-users.
## Impact Assessment
- Financial: At least one confirmed loss of 10 Bitcoin ($\$723,436$ USD) based on one transaction report.
- Data Breach: Not a traditional data breach, but user crypto wallet connection data/keys targeted.
- Operational: Potential disruption to cryptocurrency platforms (e.g., 1inch dApp users faced malicious signature requests).
- Reputational: Negative impact on the trust associated with the LottieFiles platform and open-source dependencies.
## Indicators of Compromise
- [Network indicators - defanged]: Loading `lottie-player` from [`https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player[.]js`](https://unpkg.com/%40lottiefiles/lottie-player@latest/dist/lottie-player.js) or [`https://cdn.jsdelivr.net/npm/@lottiefiles/[email protected]/dist/lottie-player.min[.]js`](https://cdn.jsdelivr.net/npm/%40lottiefiles/[email protected]/dist/lottie-player.min.js) (when these were compromised).
- [File indicators]: `lottie-player` versions 2.0.5, 2.0.6, and 2.0.7.
- [Behavioral indicators]: Unexpected Web3 wallet connection prompts appearing on websites using the library.
## Response Actions
- [Containment measures]: Affected versions were immediately removed from major CDNs and npm.
- [Eradication steps]: Publishing safe version `2.0.8`.
- [Recovery actions]: Users must update their implementations to version `2.0.8` or revert to `2.0.4`.
## Lessons Learned
- Key takeaways: Wide dependency adoption (94,000 weekly downloads) makes popular libraries high-value targets for supply chain attacks. Reliance on "latest" version tags without pinning dependencies magnifies risk during rapid compromise/remediation cycles.
- What could have been done better: Better token security/multi-factor authentication on publishing accounts for critical open-source projects.
## Recommendations
- Prevention measures for similar incidents: Implement strict version pinning for all third-party JavaScript libraries to prevent automatic downloads of compromised updates. Regularly audit dependency trees for usage of compromised versions.