A targeted Supply Chain attack involving the widely used NPM package @Lottiveiles/Lottie player is discovered, in which vulnerabilities are emphasized in software dependencies.
According to research that was published by Reversinglabs last week, malignant versions of the package were released earlier this year.
Most important details of the incident
The Package @LotteViles/Lottie-Player has been downloaded around 84,000 times a week and is used to locking up and play Lottie animations on websites.
Although usually safe, malignant actors recently endangered the package by publishing three malignant versions – 2.0.5, 2.0.6 and 2.0.7 – through unauthorized access to a privileged developer account.
These malignant updates contain changed code that introduced pop-ups that encourage users to connect their web3 portfolios.
At Connection, attackers were given access to remove the crypto wallet assets from victims. Developers marked the problem soon after noting of unusual behavior on affected sites, which brought discussions on forums and Github.
Fast response from administrators
Lottyiles immediately responded to the infringement and worked with NPM to remove the malignant versions and to publish a clean version based on the latest secure release – version 2.0.4. Developers who use the @latest dependence configuration that have received automatic updates, which sent potential effects.
Read more about the security of the Supply Chain: CISA insists on improvements in the transparency of the American software -supply chain
How the compromise was detected
Reversinglabs researchers performed a differential analysis between Secure 2.0.4 and the Malicious 2.0.7 versions. This unveiled significant changes, including:
-
Increased file size without functional justification
-
Introduction of URL’s associated with Bitcoin exchanges
-
Removal of standard behavior, such as display list
Their analysis also marked threat-hunting policy that detected patterns comparable to known attacks by Software-Supply Chain, such as crypto-token detection.
Lessons for developers
The attack underlines the importance of securing dependencies on specific, extended versions to prevent vulnerabilities in automatically updated packages. Regular security assessments of dependencies and construction pipelines are also crucial to identify potential risks.
“In the case of the @LotteViles/Lottie player, the Supply Chain compromise was quickly discovered. That does not mean that malicious actors could not work in the future to be even more secret and better in hiding their malignant code,” warned reversing labs.
“That is why it is necessary for developers to perform security assessments that can verify the integrity and quality of public, open source libraries for safety before they are used.”