LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to release an updated version of the library.
"On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," the company said in a statement on X. "This does not impact our dotlottie player and/or SaaS service."
LottieFiles is an animation workflow platform that enables designers to create, edit, and share animations in a JSON-based animation file format called Lottie. It's also the developer behind an npm package named lottie-player, which allows for embedding and playing Lottie animations on websites.
According to the company, "a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release."
The malicious versions of the package contained code that prompted users to connect their cryptocurrency wallets, with the likely goal of draining their funds. Users who are on versions 2.0.5, 2.0.6, and 2.0.7 are recommended to update to 2.0.8.
"Versions 2.0.5, 2.0.6, 2.0.7 were published directly to https://npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges," LottieFiles noted.
Software supply chain security firm Checkmarx said the attack leveraged an npm automation token to bypass two-factor authentication (2FA) controls and push the rogue versions.
"Even with 2FA configured, the threat actors somehow got the npm automation token set in the CI/CD pipeline to automate version releases to publish the malicious versions 2.0.5, 2.0.6, and 2.0.7 of the npm package," security researcher Jossef Harush said.
Besides releasing a fix, the three rogue versions have been unpublished from the npm package repository. LottieFiles said it has also activated its incident response plan and engaged an external incident response team to assist with the investigation.