2024

Read

LottieFiles revealed a supply chain compromise in which malicious code could lure users into connecting crypto wallets, potentially leading to asset theft.
LottieFiles, a platform that enables designers and developers to create animations, has issued a warning regarding a security breach involving its npm package, which may expose users to malicious code designed to compromise crypto wallets.
<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter">
 <div class="wp-block-embed__wrapper">
 <blockquote class="twitter-tweet" data-width="550" data-dnt="true">
 Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7 Comm Date/Time: Oct 31st, 2024 04:00 AM UTC Incident: On October 30th ~6:20 PM UTC – LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player…— LottieFiles (@LottieFiles) <a href="https://twitter.com/LottieFiles/status/1851848602093777273?ref_src=twsrc%5Etfw" target="_blank" rel="noopener noreferrer nofollow">October 31, 2024</a>
 </blockquote>
 <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
 </div>
</figure>
In <a href="https://twitter.com/LottieFiles/status/1851848602093777273" target="_blank" rel="noopener noreferrer nofollow">an X post</a> on Oct. 31, LottieFiles said that the affected versions — Lottie Web Player 2.0.5, 2.0.6, and 2.0.7 — were released on Oct. 30, prompting immediate concerns after multiple user reports surfaced about strange code injections. In response to the threat, LottieFiles released a new version, 2.0.8, reverting to the secure code.
<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
 “A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”
 LottieFiles
</blockquote>
You might also like: <a rel="noopener noreferrer nofollow" href="https://crypto.news/web3-anti-scam-sleuth-uncovers-phishing-attack-that-drained-4-2m-using-a-malicious-opcode/"> Web3 anti-scam sleuth uncovers phishing attack that drained $4.2m using a malicious opcode </a>
For those unable to update, LottieFiles recommends informing end users about potential fraudulent wallet connection prompts associated with the Lottie-player. Users may also opt to remain on version 2.0.4 to avoid risk.
LottieFiles warned that applications using the compromised npm package may inadvertently prompt users to connect their crypto wallets, opening avenues for potential theft. The developer account linked to the malicious uploads has been stripped of access, and related tokens have been revoked to halt any further unauthorized activity, the firm added, though the full extent of the attack remains unknown.
Read more: <a rel="noopener noreferrer nofollow" href="https://crypto.news/github-repository-exposed-binances-internal-passwords-and-code/"> GitHub repository exposed Binance’s internal passwords and code </a>

SaaS animation platform LottieFiles alerts users to crypto threats

crypto.news

Other articles published on Oct 31, 2024

Qubetics Gains Attention with a Massive 1322.9% ROI Potential, Alongside Arbitrum and Slart

Solana Heads to $170 While SUI price Tests $2—Here’s When a Rebound Could Occur Triggering a 15% ...

Shiba Inu Price To Surge Amidst Spike in Whale Activity, SHIB Killer To Gain 50x

VanEck-backed stablecoin AUSD debuts on Injective blockchain

Robinhood doubles crypto trading volume, but shares dip 12% on Q3 earnings

How $40 Could Turn into $400K: Altcoins Making a Buzz in the Crypto World

Join our free newsletter for daily crypto updates!