A recent supply chain attack targeting the popular npm package @lottiefiles/lottie-player has brought attention to vulnerabilities in software dependencies. The incident, uncovered by ReversingLabs, involved the release of malicious versions of the package earlier this year.
The @lottiefiles/lottie-player package, which sees approximately 84,000 weekly downloads, is commonly used to embed and play Lottie animations on websites. Despite its usual security measures, malicious actors were able to compromise the package by releasing unauthorized versions – specifically versions 2.0.5, 2.0.6, and 2.0.7 – using a privileged developer account’s access token.
These malicious updates included altered code that prompted users to connect their web3 wallets. Once connected, attackers were able to access and drain victims’ crypto wallet assets. The issue was quickly flagged by developers who noticed unusual activity on affected sites, sparking discussions on forums and GitHub.
In response to the breach, LottieFiles acted swiftly to work with npm in removing the malicious versions and releasing a clean version based on the last secure release (version 2.0.4). Automatic updates were provided to developers using the @latest dependency configuration to mitigate any potential impacts.
Researchers at ReversingLabs detected the compromise by conducting a thorough analysis comparing the secure 2.0.4 version with the malicious 2.0.7 version. They identified significant changes such as increased file size without justification, the introduction of URLs linked to Bitcoin exchanges, and the removal of standard behaviors like display enumeration. Threat-hunting policies were also implemented to detect patterns resembling known software supply chain attacks, particularly related to crypto-token detection.
This incident serves as a reminder to developers about the importance of pinning dependencies to specific, vetted versions to prevent vulnerabilities in auto-updated packages. Regular security assessments of dependencies and build pipelines are crucial in identifying and addressing potential risks.
ReversingLabs emphasized the need for developers to conduct thorough security assessments to verify the integrity and quality of public, open-source libraries before integration. While the compromise of @lottiefiles/lottie-player was detected quickly in this instance, there is a possibility of malicious actors becoming more sophisticated in hiding their code in the future. Vigilance and proactive security measures are essential in safeguarding against supply chain attacks in the software development process.