October 31, 2024 at 10:39AM
LottieFiles announced that its npm package “lottie-player” was compromised in a supply chain attack, leading to unauthorized, malicious versions that prompted users to connect cryptocurrency wallets. Users of versions 2.0.5, 2.0.6, and 2.0.7 should update to 2.0.8. The company is investigating with an external team.
### Meeting Takeaways – October 31, 2024
**Subject:** LottieFiles npm Package Compromise
1. **Incident Overview:**
– LottieFiles’ npm package “lottie-player” was compromised in a supply chain attack.
– Unauthorized versions containing malicious code were pushed on October 30, 2024, around 6:20 PM UTC.
2. **Impact:**
– Users using versions 2.0.5, 2.0.6, and 2.0.7 are urged to update to version 2.0.8.
– Compromised versions prompted users to connect their cryptocurrency wallets, potentially risking their funds.
– The attack does not impact LottieFiles’ dotlottie player or SaaS service.
3. **Response Actions:**
– Malicious versions have been unpublished from the npm repository.
– LottieFiles activated its incident response plan and engaged an external team to aid in the investigation.
4. **Recommendations for Users:**
– Update to the latest version (2.0.8) if currently using any of the compromised versions.
– Pin library versions for better security in the future.
5. **Company Background:**
– LottieFiles is known for its animation workflow platform, enabling creation and sharing of animations in the JSON-based Lottie format.
**Next Steps:**
– Monitor updates from LottieFiles for further developments on the incident.
– Share information on cybersecurity best practices with team members to prevent similar issues.
**Follow-Up Actions:**
– Encourage following LottieFiles on Twitter and LinkedIn for exclusive updates and content.