October 31, 2024 at 05:05AM
LottieFiles reported malicious code in npm package versions 2.0.5, 2.0.6, and 2.0.7, prompting users to connect cryptocurrency wallets. They released version 2.0.8 to remedy the issue, advising users to upgrade. The malicious activity affected no other services or repositories, while investigations continue into the breach’s impact.
### Meeting Takeaways:
1. **Malicious Code Detected**: Specific versions (2.0.5, 2.0.6, 2.0.7) of the Lottie Web Player npm package have been found to contain malicious code that prompts users to connect their cryptocurrency wallets.
2. **Quick Response**: LottieFiles has released a new safe version (2.0.8), which users are advised to upgrade to immediately. This version is based on the clean version 2.0.4.
3. **Automatic Updates**: Users utilizing the library via third-party CDNs without a pinned version may have been automatically served the compromised versions. Those who upgrade should automatically receive the fix.
4. **Communication Required**: Users unable to upgrade should notify those using the Lottie Player about the risks of fraudulent wallet connection requests. Remaining on version 2.0.4 is also an option to avoid the issue.
5. **Impact of Compromise**: The incident specifically affects the npm package, not LottieFiles’ SaaS services. Apps and websites using the malicious package were found to serve wallet connection prompts directly to users.
6. **Security Measures Taken**: The developer account responsible for the malicious uploads has had its access revoked, and associated tokens have been deactivated to prevent further malicious activities.
7. **Ongoing Investigation**: LottieFiles is conducting an internal investigation, assisted by external experts. Further information regarding the compromise may be released in the future.
8. **Victim Status Unknown**: It remains unclear whether there have been any victims, how many, or the amount of money potentially lost due to the fraudulent activity.
9. **Overview of LottieFiles**: The platform is recognized for offering a SaaS solution that enables the creation and sharing of lightweight, vector-based animations suitable for use in various applications and websites, ensuring high-quality visuals with minimal performance impact.