In a significant and coordinated strike against the web3 ecosystem, vigilant on-chain investigators have uncovered a vast supply chain attack targeting Lottie Player. Earlier today, the LottieFiles team reported that attackers had successfully integrated bugs into multiple versions of the Lottie Player, specifically versions 2.05, 2.06, and 2.0.7. These compromised versions were subsequently uploaded and made available on GitHub’s npm platform.
Details of the Compromise
Alarmingly, the unauthorized versions contained malicious code that prompted users to connect their cryptocurrency wallets. Numerous users, who accessed the library via third-party Content Delivery Networks (CDNs) without specifying a particular version, were automatically served the compromised version as the latest release. As the incident unfolds, the LottieFiles team is actively investigating, suspecting that a developer with the necessary permissions may have facilitated the breach.
Response and Mitigation
To address the issue, the LottieFiles team has released a secure version, labeled 2.0.8, which mirrors the original Lottie Player version 2.0.4. In a crucial move to prevent further damage, the compromised package versions have been removed from the npm platform. Additionally, the team has revoked all access and related service accounts of the implicated developer, ensuring enhanced security measures going forward.
Impact of the Lottie Player Supply Chain Attack
The repercussions of the Lottie Player supply chain attack have been significant. As reported by the on-chain analysis platform Scam Sniffer, several leading decentralized applications (Dapps), including 1inch (1INCH) and Movement network, have been compromised. The attackers aimed to siphon off users’ funds, leading the 1inch protocol to commit to reimbursing all affected users via its network.
Steps for Affected Users
The 1inch team has issued a crucial advisory for all impacted users, recommending the revocation of ERC20 smart contract approvals from malicious addresses using the revoke.cash platform. This proactive measure is essential to prevent any further financial losses. According to on-chain data analysis, the Lottie Player supply chain attack has already led to substantial losses, with one web3 user losing 10 Bitcoins, valued at over $720,000.
Conclusion
The Lottie Player supply chain attack serves as a stark reminder of the vulnerabilities that can exist within the web3 space. It underscores the importance of vigilance and the need for robust security measures to protect decentralized applications and their users. As the LottieFiles team continues its investigation, the broader web3 community must remain alert and take proactive steps to secure their digital assets and platforms against such threats.
“`
This enriched article includes structured headings and expanded content for SEO purposes, ensuring a comprehensive overview of the incident while maintaining originality.
