The widely used LottieFiles Lotti-Player project has fallen victim to a supply chain attack, resulting in the injection of a cryptocurrency drainer into various websites, which subsequently steals the cryptocurrency of unsuspecting visitors. According to the blockchain threat monitoring platform Scam Sniffer, at least one individual reportedly lost $723,000 in Bitcoin due to this compromise.
Recent investigations revealed that versions 2.0.5, 2.0.6, and 2.0.7 of the Lottie Web Player (“lottie-player”) were altered to incorporate malicious code that facilitates the injection of a crypto wallet drainer into websites. These drainers are harmful scripts that prompt users to connect their cryptocurrency wallets. However, upon connection, the script attempts to “drain” or steal all assets and NFTs, transferring them to the attackers.
In response to this security breach, LottieFiles promptly released version 2.0.8, which is based on the secure 2.0.4 version, urging users to upgrade immediately. LottieFiles CTO Nattu Adnan stated, “A significant number of users utilizing the library through third-party CDNs without a pinned version were inadvertently served the compromised version as the latest release. With the release of the secure version, those users would have automatically received the necessary fix.”
For those unable to upgrade to the latest version, it is essential to inform Lottie-player end users about the potential risks and to caution them against fraudulent cryptocurrency wallet connection requests. Remaining on version 2.0.4 is also a viable option.
LottieFiles operates as a software-as-a-service (SaaS) platform that enables the creation and sharing of lightweight, vector-based (scalable) animations, which can be seamlessly embedded in applications and websites. It is particularly favored for delivering high-quality visuals with minimal performance impact on less powerful devices, mobile platforms, and web applications.
Supply chain attack loads crypto wallet drainer
Recently, developers utilizing the Lottie-Player script became aware of a supply chain attack that compromised their systems, resulting in websites employing the affected script unexpectedly prompting users to connect their cryptocurrency wallets. BleepingComputer conducted an analysis of the malicious iteration of the Lottie-Player JavaScript script by integrating it into a basic HTML page, confirming that the addition triggered the loading of a crypto drainer.
If a user interacts with one of the buttons to link to a wallet, the script establishes a WebSocket connection to the domain castleservices01[.]com, which has been previously associated with cryptocurrency phishing schemes. LottieFiles reported that the compromise of its JavaScript library occurred after an authentication token belonging to one of its developers was stolen, enabling the upload of the malicious versions of the npm package.
LottieFiles reassured that its other open-source libraries, code repositories, and SaaS offerings remained unaffected. The organization is actively conducting an internal investigation into the breach, collaborating with external experts, and may provide further information regarding the incident in the future.
At this moment, the precise number of individuals impacted and the total amount of cryptocurrency lost due to this attack remain undetermined. Crypto drainers have emerged as a significant threat within the cryptocurrency sector, with malicious actors targeting prominent X accounts, breaching websites, and employing AI-generated videos and harmful advertisements to promote sites that incorporate these malicious scripts.
In 2023, advertisements on Google and Twitter directed users to sites featuring a cryptocurrency drainer known as ‘MS Drainer,’ which resulted in the theft of $59 million from 63,210 victims over a span of nine months.
