Supply chain, Threat Intelligence

Supply chain attack compromises LottieFiles npm package with crypto drainer

Animation workflow platform LottieFiles has disclosed a supply chain attack against its "lottie-player" npm package that enabled the release of malicious versions containing cryptocurrency-draining payloads, The Hacker News reports.

Such an intrusion has prompted automated delivery of the malicious lottie-player NPM package versions among users who obtained the library through third-party content delivery networks, according to LottieFiles. "Versions 2.0.5, 2.0.6, 2.0.7 were published directly to https://npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges," said LottieFiles, which urged immediate upgrades to version 2.0.8 of the package as it confirmed the removal of all malicious versions that sought to establish a connection with targets' cryptocurrency wallets have already been removed. Investigation into the incident, which has not affected LottieFiles' dotlottie player and/or software-as-a-service, is still underway, according to the firm.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds