LottieFiles has reported that specific versions of its npm package, Lottie Web Page, continued malicious code designed to drain cryptocurrency wallets. The affected versions, 2.0.5, 2.0.6, and 2.0.7, were released on npm only yesterday, sparking immediate user concerns after unusual code injections were detected.
LottieFiles quickly responded, issuing a new version, 2.0.8, which reverts to the secure foundation version 2.0.4. The company urges all users to upgrade to this latest release to mitigate risks.
As a Software-as-a-Service (SaaS) platform widely utilised for embedding lightweight animations in apps and websites, LottieFiles’ npm package has been substantially adopted, particularly due to its efficient and low impact on performance across mobile and desktop environments.
This widespread use may explain the impact scope, as numerous users, particularly those using the library via third-party CDNs, unknowingly received the compromised package as an automatic update.
In their official statement, LottieFiles explained, “A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”
With the release of clean version 2.0.8, these users should receive the secure update automatically, though others may need to update manually to ensure safety.
The malicious code prompted unsuspecting end-users to connect their cryptocurrency wallets to external services, allowing attackers to seize control of and empty the wallets. Notably, blockchain monitoring service Scam Sniffer has documented at least one significant incident in which a user lost approximately $723,000 worth of Bitcoin due to the breach.
The attack appears limited to LottieFiles’ npm package. The platform’s other resources, including its SaaS services, open-source libraries, and GitHub repositories, have been confirmed unaffected.
LottieFiles has revoked all access and tokens associated with the compromised developer account responsible for uploading the tampered npm versions to prevent any further malicious activity.
To address the security compromise further, LottieFiles has enlisted external experts and is continuing its internal investigation. The platform is expected to release additional details as they emerge.
In the News: Interbank data breach exposes 3.7 TB data of 3 million customers