Lottie Player (lottiefiles/lottie-player) is a web component that renders lightweight, high-quality animations from JSON files created with tools like Adobe After Effects, enabling scalable and interactive animations on websites and apps.
Incident
On October 30, 2024, the company posted an update on the forum about the recently infected versions of the Lottie Web Player. In the post, they shared the following information: “LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees.”
Scam Sniffer also reported that one user lost 10 Bitcoin because of this incident.
Malicious Code
We tested the malicious version of the `lottie-player` JavaScript by adding it to a basic HTML page. When we visited the site, the injected code executed, prompting users to connect their crypto wallets.
This happened because an attacker gained unauthorized access to a token belonging to one of the library’s maintainers, Aidosmf.. This breach allowed them to inject malicious code into versions 2.0.5, 2.0.6, and 2.0.7 of the `lottie-player` package, which was subsequently published on npm between 8:12 PM and 9:57 PM GMT on October 30, 2024.
Affected Versions
lottiefiles/lottie-player versions 2.0.5, 2.0.6, 2.0.7.
Secure Your Website with Qualys
Qualys provides a comprehensive continuous solution to detect security issues in organizations. We highly recommend organizations launch WAS scans to detect and remove the affected `lottie-player` versions.
QID 152350: Malicious Lottie Player Detected
Reference
https://github.com/LottieFiles/lottie-player/issues/254
https://x.com/LottieFiles/status/1851848602093777273
https://x.com/realScamSniffer/status/1851800628189933806
