Supply Chain Attack on LottieFiles Player Caused by Compromised npmjs Credentials

LottieFiles, a motion graphics platform for designers and developers, is responding to a supply chain attack on the LottieFiles Player npm package, where a threat actor injected malicious code into versions 2.0.5, 2.0.6, and 2.0.7. The package, which is downloaded ~89,000 times per week, is a web component for embedding and playing Lottie animations and the Lottie-based Telegram Sticker animations in websites.

The malicious code in the package opens the attacker’s crypto wallet popup on legitimate websites, prompting the user to connect a Web3 wallet, for sites using any of the compromised versions.

Jawish Hameed, LottieFiles VP of Engineering, said his team is still investigating the attack. It appears that one of their software engineers, @adiosmf, had his token compromised, and it was used to publish the malicious versions over the course of three hours. LottieFiles quickly removed the compromised account access and published a new 2.0.8 version with the crypto scam removed (a copy of the last clean version 2.0.4).

npm quickly removed the offending versions. LottieFiles recommends that anyone with the compromised versions in their package.json file should update to the latest 2.0.8. This version is being served on the CDNs, although compromised versions are still being served on CDNjs.com via the explicit version specifier.

Because the npmjs token was compromised, there was no evidence on GitHub of the code having been changed. Developers discovered this by viewing the code being served by the CDN.

Socket flagged the Unstable Ownership on this package before it was removed from npm, but a quick review of the new author publishing the updates would have shown that adiosmf is part of the LottieFiles GitHub organization and would not necessarily draw suspicion.

Although our system correctly flagged the change in authorship as a supply chain risk, and our AI scanner detected cryptocurrency-related code, which might legitimately have been found in a crypto app, it did not understand that this code was not appropriate here and would be malicious in the context of a web component for playing animations.

As a result, we’re working on refining our detections to connect the dots in cases like this where the type of code being added in an update is unrelated to the rest of the code in the package. While complex threats can require human review to confirm malicious intent, we are committed to enhancing our AI scanning capabilities. We flagged the package as a supply chain risk immediately upon being ingested into our system. We then flagged it as malicious soon after learning about the attack.

LottieFiles has not yet released a statement to developers about the compromised package, as their team is still investigating the incident. It's not yet clear whether the threat actor bypassed two-factor authentication or if it simply wasn't turned on for this account. You can follow LottieFiles' updates on GitHub.

To mitigate risks from supply chain attacks, always pin package versions when serving code from a CDN. Avoid blindly updating to the latest version of a package immediately after release. Instead, make sure you're using a tool like Socket for GitHub to analyze new versions for potential supply chain risks before deploying them.