October 31, 2024 at 04:10PM
LottieFiles’ Lotti-Player project was compromised in a supply chain attack, injecting a crypto drainer into websites, potentially costing one victim $723,000 in Bitcoin. Affected versions were quickly replaced with a secure update. Users are advised to upgrade or be cautious of fraudulent wallet connection requests amid ongoing investigations into the breach.
### Meeting Takeaways
1. **Incident Overview**:
– The LottieFiles Lotti-Player project was the target of a supply chain attack, resulting in the injection of a crypto wallet drainer script into versions 2.0.5, 2.0.6, and 2.0.7.
2. **Financial Impact**:
– According to Scam Sniffer, at least one user lost approximately $723,000 in Bitcoin due to the compromise.
3. **Malicious Functionality**:
– The injected script prompts users to connect their cryptocurrency wallets, attempting to drain assets and NFTs when connected.
4. **Immediate Response**:
– LottieFiles released version 2.0.8 (based on the clean 2.0.4) to rectify the issue and advised all users to upgrade immediately.
– Users on third-party CDNs without pinned versions were particularly affected, receiving the compromised version automatically.
5. **User Guidance**:
– Users unable to upgrade should alert their end users about the risks and fraudulent wallet connection requests.
– It is permissible to remain on version 2.0.4 as a temporary measure.
6. **Security Assurance**:
– LottieFiles confirmed that no other open-source libraries, code repositories, or their SaaS platform were affected by the attack.
– An investigation is ongoing, alongside external expert assistance, and further details may be disclosed later.
7. **Wider Threat Context**:
– Crypto drainers represent a significant threat within the cryptocurrency community, with various high-profile hacks and methods of attack reported throughout 2023.
### Action Items
– Encourage all affected users to upgrade to Lottie-Player version 2.0.8.
– Communicate risks to stakeholders and users who may still be using older versions.
– Monitor updates from LottieFiles regarding the ongoing investigation.