lottie-player prompted wallet drains

Lottie Player is a browser component for rendering lightweight animations. On 2024-10-30, attackers used a compromised maintainer access token to publish three malicious npm versions after months without a release.

The payload changed the browser surface, not the animation format. Sites loading the affected package saw unexpected cryptocurrency wallet prompts, including common wallet brands. Users who trusted the page could be led into signing a malicious transaction.

The CDN path made the incident fast. Sites that referenced latest or pulled unpinned builds from unpkg or jsDelivr could receive the compromised release without changing their own code. Pinned safe versions were not exposed in the same way.

LottieFiles removed the bad releases and published 2.0.8 as the safe replacement. Wiz and Sonatype reported at least one suspected theft transaction, but the package record treats weekly downloads as exposure, not confirmed victims.

The operational lesson is pinning. Teams that loaded a specific clean version had a narrower problem than sites that let CDN resolution float to the newest npm release, where a compromised maintainer token could change runtime browser code without a site deploy.

Motive

Financial Gain

Attribution

Person

Cause

Compromised Account Credentials

Transitive

No

Actor

Individual Hacker

• Supply chain attack on lottie-player: everything you need to knowwiz.io
• Lottie Player Compromised in Supply Chain Attack - All You Need to Knowsonatype.com
• Differential analysis raises red flags over @lottiefiles/lottie-playerreversinglabs.com
• Malicious code in Web Lottie Player CDN filesgithub.com
• Incident report for unauthorized versions of lottie-player npm packagelottiefiles.com