lottie-player
lottie-player compromised via token, crypto theft.
The lottie-player npm package was compromised when attackers gained access to a developer's access token. They published three malicious versions (2.0.5, 2.0.6, 2.0.7) that prompted users to connect their Web3 wallets, enabling theft of cryptocurrency assets. The compromised versions were distributed via CDNs, affecting users who hadn't pinned specific versions.
- Date
- 2024-10-30
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Financial Exploitation
- Cause
- Compromised Account/Credentials
What Was Affected
Package
lottie-player
Languagejavascript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/LottieFiles/lottie-player
Compromised Versions
Incident Context
- Motive
- Financial gain
- Attribution
- Individual Hacker
- Transitive
- No
- User Impact
- 94000
- Observed Duration
- 0 days
Evidence
Compromised Artifacts
- unpkg.com/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.js
- cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.js
- registry.npmjs.org/@lottiefiles/lottie-player/-/lottie-player-2.0.5.tgz
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha1:446996c35a4188647361733b4c7175b2aeea9611sha1:5bbd2290a7de5a4736fdafe171f5b6eae6abc27esha1:846f2efc0212317b5e44690234995ba7e269dee3
External References
Source Data
Source record: oss/lottie-player/meta.yaml