Incident Response for Recently Infected Lottie Web Player versions 2.05, 2.06, 2.07
Comm Date/Time: Oct 31st, 2024 04:00 AM UTC
Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees.
Immediate Mitigation Actions
Published a new safe version (2.0.8)
Unpublished the compromised package versions from npm
Removed all access and associated tokens/services accounts of the impacted developer
Impact
- Versions 2.0.5, 2.0.6, 2.0.7 were published directly to npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges.
The unauthorized versions contained code that prompted for connecting to user’s crypto wallets. - A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix.
Recommended Steps
- If using 2.0.5, 2.0.6 and 2.07 versions please update to the latest version 2.0.8
SHA: sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ== - If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets.
Next Steps
- LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise.
We have confirmed that our other open source libraries, open source code, Github repositories, and our SaaS were not affected.
If you believe you’re affected, don’t hesitate to reach out to us at priority_support@lottiefiles.com
We’ve posted this incident report on Twitter. x.com