1inch web app compromised, losses to be reimbursed
The post 1inch web app compromised, losses to be reimbursed appeared on BitcoinEthereumNews.com.
1inch, a decentralized exchange aggregator, was compromised after attackers injected malicious code into an animation library update, prompting users to connect their wallets to a crypto drainer. On Oct. 30, 1inch users encountered malicious popups that appeared unexpectedly, urging them to connect their wallets. These prompts, embedded through compromised code in the popular Lottie Player animation library, redirected users to “Ace drainer” disguised as a standard wallet connection request, according to web3 security firm Blockaid. In its post-incident report, 1inch noted that only its web dApp was affected, and all other platforms, including its mobile app and API services, remained unaffected. Without disclosing the extent of losses, the team hinted that some users may have been affected, but assured that losses would be refunded. The developers have urged users to “revoke ERC20 approvals from malicious addresses” adding that they are “strengthening dependency management for enhanced security.” What happened? According to cybersecurity researcher Gal Nagli, the breach stemmed from a large-scale supply chain attack on the Lottie Player animation library. Lottie Player, widely used for web animations, is used by major companies like Apple, Spotify, and Disney for creating engaging user interfaces. The attackers initially breached the GitHub account of a senior software engineer at LottieFiles, the publisher of the Lottie Player library. Using this access, the attackers pushed three malicious updates within a span of three hours. These updates contained code that injected a malicious popup into websites using the library. While the attack, according to Nagli, was originally targeted towards web3 firms, he warned that other websites using the affected library versions remain vulnerable. At press time, the affected libraries had been removed from GitHub, and users had been asked to upgrade to the latest version. In an Oct. 31 X post, Cybersecurity firm Scam Sniffer noted that at least…
Filed under: News - @ October 31, 2024 8:28 am