Top online animation tool LottieFiles hacked to target victims’ crypto wallets
A popular online animation tool was abused to trick people into handing over access to their cryptocurrency wallets, with at least one person losing almost $700,000.
LottieFiles is a platform that provides tools and a library for creating, editing and sharing lightweight, scalable animations in the Lottie format. These animations, along with the LottiePlayer plugin, are commonly used on websites and mobile applications with 94,000 weekly downloads and have been downloaded more than 4 million times since launch.
Recently, an unnamed threat actor somehow obtained a session cookie from one of the LottieFiles developers and used that access to push three new versions of LottiePlayer (2.0.5, 2.0.6, and 2.0.7) to npmjs . Websites that use LottiePlayer and are configured to always use the latest version will automatically download the malicious versions.
New version released
These new versions have prompted website visitors to connect their cryptocurrency wallets, essentially giving the site access to the stored funds. We don’t know how many people fell for the trick and linked their wallets, but we do know that at least one person did and it cost them 10 BTC, which at the time of writing is $696,960. This information came from Scam sniffera Web3 anti-scam platform.
“On October 30 ~ 18:20 UTC – LottieFiles was notified that our popular open source npm package for the web player @lottiefiles/lottie-player had pushed unauthorized new versions containing malicious code,” said the co-founder and The project’s CTO, Nattu Adnan, wrote on GitHub. “This does not impact our dotlottie player and/or SaaS services. As a result, our incident response plans have been activated. We apologize for this inconvenience and are committed to ensuring the safety and security of our users, customers, their end users, developers, and our employees.”
The attacker was quickly driven out and a new version, 2.0.8, was pushed live. This is a copy of the latest safe version, namely 2.0.4.
“We have confirmed that our other open source libraries, open source code, GitHub repositories, and our SaaS are not affected.”
Via The Register