Lottie Player Compromised, Users Lose 10 BTC!
The post Lottie Player Compromised, Users Lose 10 BTC! appeared on BitcoinEthereumNews.com.
In a major coordinated attack on the web3 space, on-chain sleuths discovered a massive supply chain attack on Lottie Player earlier today. According to the LottieFiles team, the attackers managed to plug in bugs into several Lottie Player versions – including 2.05, 2.06, and 2.0.7. Notably, the said versions were uploaded and published on GitHub’s npm platform. “The unauthorized versions contained code that prompted for connecting to user’s crypto wallets. A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release,” the LottieFiles team noted. The LottieFiles team is currently investigating the incident as it is believed that a developer with the required privileges facilitated the attack. The LottieFiles team noted that it has published a new safe version dubbed 2.0.8, which is a copy of the original Lottie Player version 2.0.4. TLDR: Massive Supply Chain attack had been happening on the highly popular JS Library lottie-player since ~2 hours ago that populates attackers Web3 wallet connection pop-up on legitimate websites. I’ll write here what we know, what can be done and how to detect it in the wild.… pic.twitter.com/aX4DIj7Olp — Nagli (@galnagli) October 31, 2024 Most importantly, the LottieFiles team has unpublished the compromised package versions from the npm platform to mitigate further damage. Additionally, the LottieFiles team removed all access and associated service accounts of the impacted developer. Impact of the Lottie Player Supply Chain Attack ⚠️ Lottie Player faced a supply chain attack earlier today, impacting projects like 1inch and Movement. Our system automatically blocked the affected domains to keep you safe! 🚫🔒 pic.twitter.com/liQPFY2vY2 — Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) October 31, 2024 According to the on-chain analysis platform Scam Sniffer, the Lottier Player supply chain attack compromised major decentralized applications (Dapps)…
Filed under: News - @ October 31, 2024 9:27 am