Animation workflow platform LottieFiles has disclosed a supply chain attack against its "lottie-player" npm package that enabled the release of malicious versions containing cryptocurrency-draining payloads, The Hacker News reports.
Such an intrusion has prompted automated delivery of the malicious lottie-player NPM package versions among users who obtained the library through third-party content delivery networks, according to LottieFiles. "Versions 2.0.5, 2.0.6, 2.0.7 were published directly to https://npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges," said LottieFiles, which urged immediate upgrades to version 2.0.8 of the package as it confirmed the removal of all malicious versions that sought to establish a connection with targets' cryptocurrency wallets have already been removed. Investigation into the incident, which has not affected LottieFiles' dotlottie player and/or software-as-a-service, is still underway, according to the firm.
