The problem of someone else's popup appearing

Hello, when I connect this link https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js
via cdn ( when i add this link to my website), the following popup begins to appear on the site.

2 Likes

Yes, we experienced the same thing on our application, we have since disabled LottieFiles. I inspected the CDN for the JS file, I can see there are multiple references to Cryptocurrency wallets.

CDN in question: https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js

Same problem. Files are blocked because of an invalid certificate warning, something to do with web3modal.org, a crypto thing I think.
Has Lottiefiles been hacked?

Yes definitely, it must have been compromised to execute a supply chain attack. Good lesson to ourselves and others not to use @latest when loading external libraries. Loading from version 2.0.4 solved it for us

The unpkg.com link for 2.0.04 was still affected here but this one worked:
https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.4/lottie-player.min.js

It looks like the library has been tampered with. Somebody has also updated the GitHub repo in the past 20 mins.

Looks like they fixed it :slight_smile:

Hi everyone,

Thank you for reaching out to report this issue.

We’re aware of the npm compromise that led to the publication of three versions (2.0.5, 2.0.6, and 2.0.7) containing malicious code. To address this, we’ve released version 2.0.8—a secure copy of 2.0.4—to ensure stability and security for users accessing the latest tag through CDNs.

Apologize for any disruption this may have caused. If you have any questions, please feel free to reach out to me!

1 Like

I am experiencing the same issue with the script provided on your website, which appears to be attempting unauthorized access to Meta wallets. This suggests a potential security breach that may have compromised the safety of users’ wallets.

Given the serious implications of this issue, I strongly urge you to investigate and resolve it immediately to prevent any further risk to users’ financial assets.

I’ve just received a hundred emails from my customers using my application… I had to disable lottie too…
Lottie… what are the consequences of your hacking for my customers?

Incident Response for Recently Infected Lottie Web Player versions 2.05, 2.06, 2.07

Comm Date/Time: Oct 31st, 2024 04:00 AM UTC

Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees.

Immediate Mitigation Actions
Published a new safe version (2.0.8)
Unpublished the compromised package versions from npm
Removed all access and associated tokens/services accounts of the impacted developer

Impact

  • Versions 2.0.5, 2.0.6, 2.0.7 were published directly to npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges.
    The unauthorized versions contained code that prompted for connecting to user’s crypto wallets.
  • A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix.

Recommended Steps

  • If using 2.0.5, 2.0.6 and 2.07 versions please update to the latest version 2.0.8
    SHA: sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ==
  • If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets.

Next Steps

  • LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise.
    We have confirmed that our other open source libraries, open source code, Github repositories, and our SaaS were not affected.

If you believe you’re affected, don’t hesitate to reach out to us at priority_support@lottiefiles.com

We’ve posted this incident report on Twitter. x.com

1 Like

@nattu and @haleeza – does Lottie consider it best practice for production sites to reference specific versions rather than “latest” to minimize this sort of risk?

Great question! To minimize risks, we recommend referencing specific versions in production environments for stability and control. This approach lets you lock in a known, secure version. For those needing the latest features, referencing “latest” is an option, but for @lottiefiles/lottie-player specifically, we won’t be issuing further updates.

We’re actively securing our package distribution methods to prevent future incidents, and we encourage users to transition to our new dotLottie player, which we are actively developing and enhancing for better performance