Lottie Web Player Malicious Package: All You Need to Know

user profile
Security Researcher

On October 30, 2024, the Lottie Player NPM package, an open-source JavaScript library that boasts approximately 100,000 weekly downloads, was compromised by malicious code targeting users’ cryptocurrency wallets due to an exposed access token.

Just four hours after the compromised package was published to the npm registry, a new issue was opened in the Lottie Player GitHub repository, highlighting suspicious behavior – a popup window requesting users to connect their crypto wallets. This led to a full investigation into what the malicious code did and how it got into the package.

What Happened?

In a typical software development flow, developers commit new changes to a GitHub repository, which triggers a CI/CD workflow to automatically build and publish a new release. This process usually involves review and approval steps, such as pull requests, to ensure code quality and security before any updates are released.

However, in this case, an exposed developer token granted the threat actor the ability to push malicious code directly to the npm registry without any pull request or the need to inject code into the repository.

Versions 2.0.5, 2.0.6, and 2.0.7 of the Lottie player package were published to the npm registry with malicious code embedded within them. This code prompted users to connect their crypto wallets, attempting to target users’ cryptocurrency wallets.

  • 2.0.5 – pushed to npm at 8:12 PM GMT, 30 Oct 2024
  • 2.0.6 – pushed to npm at 8:35 PM GMT, 30 Oct 2024
  • 2.0.7 – pushed to npm at 9:57 PM GMT, 30 Oct 2024

By opening the malicious package, we can see that it contained additional Ethereum – related code that was not present in the original version, such as executing transactions and handling web3 requests.

What Should I Do?

The LottieFiles team has released version 2.0.8 for Lottie Web Player. Alongside removing the malicious versions 2.0.5, 2.0.6, and 2.0.7.

If you are currently using any of the affected versions (2.0.5, 2.0.6, or 2.0.7), it is crucial to update to the latest version (2.0.8). Below are instructions for how to do this using different CDNs:

  • UNPKG:
    <script src="https://unpkg.com/@lottiefiles/[email protected]/dist/lottie-player.js"></script>
  • jsDelivr:
    <script src="https://cdn.jsdelivr.net/npm/@lottiefiles/[email protected]/dist/lottie-player.min.js"></script>
  • Cloudflare:
    <script src="https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.8/lottie-player.js"></script>

How Can Cycode Help?

The incident involving the malicious code in the Lottie player highlights several security measures that could have been implemented to prevent such breaches. Cycode’s complete ASPM platform is specifically designed to help organizations address these kinds of vulnerabilities across the entire software supply chain.

Secret Detection

This attack originated from an exposed NPM access token, which allowed unauthorized access to the package registry. Using a secret detection tool to continuously scan the organization’s codebase, CI/CD pipelines, artifacts, and cloud resources, alongside prioritizing sensitive information based on factors such as secret validity and exposure level, would enable organizations to effectively address and remediate exposed secrets, preventing unauthorized actors from taking advantage of them.

 

Locate Possible Usages

To fully mitigate the risks associated with the malicious versions of the Lottie player, it’s essential for organizations to identify where these versions may have been used across their environments.

SLSA as a Long-term Solution

The Supply-chain Levels for Software Artifacts (SLSA) project aims to prevent attack vectors exactly like this by creating a link between the source code repository and the generated artifact. This is achieved through the use of signed SLSA Provenance documents, which capture essential metadata collected during the build process. These documents not only confirm the origin of the code but also including how and when they were built and who authorized them.

NPM officially supports provenance for GitHub repositories, which allows developers to integrate this security measure into their CI/CD workflows. By adopting SLSA principles, organizations can enhance their security posture, as these documents provide a verifiable history of the artifact’s creation. This mechanism blocks attacks like the one seen with the Lottie Player by providing a clear audit trail for every package version. If a malicious actor attempts to push unauthorized changes, the lack of a corresponding signed provenance document would serve as a red flag

Cimon is a powerful tool that can facilitate SLSA (Supply Chain Levels for Software Artifacts) attestation within the software development and deployment lifecycle. It simplifies the process of generating and managing provenance documents, ensuring the integrity and authenticity of software artifacts.

Tips for staying safe from supply chain attacks

  1. Keep an accurate inventory of your 3rd party software libraries and dependencies and ensure they are up to date. Adopt the use of Software Bill of Material (SBOM).
  2. Do more than just SCA scanning. Apply defense-in-depth principles to mitigate software supply chain risks to include: protecting secrets & access credentials, hardening CI/CD system configurations, signing code artifacts, and setup alerting on unexpected change.
  3. Leverage a platform such as Cycode’s Complete ASPM for holistic coverage across all potential weak points in your software factory.

Learn More About Cycode

Cycode is the leading Application Security Posture Management (ASPM), providing peace of mind to its customers. Our Complete ASPM delivers safe code, faster. That means Stopping application risk before it starts, Reducing developer productivity tax and lowering the total cost of ownership out of the business.

The platform can replace existing application security testing tools or integrate with them while providing cyber resiliency through unmatched visibility, risk driven prioritization and just in-time remediation of code vulnerabilities as scale. Cycode’s Risk Intelligence Graph (RIG), the ‘brain’ behind the platform, provides traceability across the entire SDLC through natural language.