31st October 2024 – (San Francisco) LottieFiles has issued an alert regarding a significant security breach that has compromised its npm package, potentially putting users at risk of crypto wallet theft. The platform, which allows designers and developers to create animations, revealed that malicious code could lure users into connecting their crypto wallets.
In a post on X (formerly Twitter) dated 31st October, LottieFiles stated that the affected versions—Lottie Web Player 2.0.5, 2.0.6, and 2.0.7—were released on October 30. This revelation followed multiple reports from users regarding unusual code injections. In response, the company swiftly released version 2.0.8, which reverted the package to secure code.
“A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release,” LottieFiles noted.
For users unable to immediately update, LottieFiles has suggested informing end users about potential fraudulent wallet connection prompts associated with the Lottie player. As a precaution, users are advised to revert to version 2.0.4 to mitigate risk.
The company has cautioned that applications relying on the compromised npm package may unintentionally prompt users to connect their crypto wallets, thereby creating opportunities for asset theft. In a bid to contain the threat, LottieFiles has revoked access to the developer account linked to the malicious uploads and rescinded related tokens to prevent further unauthorized activity. However, the full extent of the attack remains unclear.
The post LottieFiles warns of security breach exposing users to crypto wallet theft appeared first on Dimsum Daily.
English (US) ·