LottieFiles Raises Concern About Compromised “lottie-player” npm Package
LottieFiles has disclosed that its npm component “lottie-player” was compromised in a supply chain assault, leading to the release of an updated version of the package.
“LottieFiles were informed on the 30th of October around 6:20 PM Coordinated Universal Time – that our renowned open-source npm component for the web player @lottiefiles/lottie-player had unauthorized new variants uploaded with harmful code,” the business stated in a declaration on X. “This does not affect our dotlottie player and/or SaaS service.”
LottieFiles functions as an animation workflow system allowing creators to formulate, adjust, and distribute animations using a Lottie-based JSON format. It is also the developer behind an npm bundle named lottie-player, allowing for the embedding and playback of Lottie animations on websites.
As per the company, “a considerable number of users relying on the library via external CDNs without a pinned version were automatically presented with the jeopardized version as the latest release.”
The infected versions of the bundle held code that instructed users to connect their digital asset wallets, presumably with the intention of depleting their capital. Those on versions 2.0.5, 2.0.6, and 2.0.7 are advised to switch to version 2.0.8.
“Versions 2.0.5, 2.0.6, 2.0.7 were uploaded directly to https://npmjs.com within the span of an hour using a compromised access token from a developer with requisite permissions,” LottieFiles emphasized.
In addition to distributing a remedy, the three illegitimate versions have been removed from the npm package archive. LottieFiles declared they have also enacted their contingency plan and brought in an external incident response squad to aid in the investigation.
About Author
