LottieFiles Issues Warning About Compromised “lottie-player” npm Package

On October 30, 2024, LottieFiles disclosed a significant security breach involving its npm package, “lottie-player,” which was compromised during a supply chain attack. The company confirmed that unauthorized versions containing malicious code were introduced, specifically versions 2.0.5, 2.0.6, and 2.0.7. Users were alerted that those utilizing the package without a pinned version configuration might have automatically received these harmful updates, exposing them to potential risks.

LottieFiles, known for its animation workflow platform that facilitates the creation and sharing of animations formatted in JSON using Lottie, has emphasized that the breach does not affect its dotlottie player or software as a service (SaaS) offerings. The malicious updates aimed to deceive users into connecting their cryptocurrency wallets, presumably to siphon funds, marking a serious security threat for those who relied on the compromised package.

In response to the attack, LottieFiles swiftly released an updated package, version 2.0.8, recommending all users of the unauthorized versions to upgrade promptly to mitigate risk. The malicious versions were swiftly taken down from the npm package repository, ensuring a decrease in potential exposure.

The company reported that the compromised versions were pushed through a developer’s access token, which was abused to publish the rogue updates. This highlights vulnerabilities in the development and deployment process of open-source software, underscoring the need for stringent security measures.

To bolster its response, LottieFiles activated its incident response plan and secured assistance from an external incident response team to investigate the extent of the breach and prevent future occurrences. The incident serves as a reminder of the vulnerabilities that exist within the software supply chain, particularly in open-source ecosystems where developers rely on shared resources.

Overall, the incident has raised awareness about the critical need for developers and companies to implement better security practices, such as version pinning and stronger access controls, to safeguard against similar attacks in the future. LottieFiles’ proactive communication and swift action reflect the urgency and seriousness with which the company addresses this breach.