A significant security breach has compromised multiple decentralized applications (dApps), traced back to malicious code injected into Lottie Player, a popular JavaScript animation library. The attack took advantage of recent updates to the Lottie Player’s npm package, specifically in versions 2.0.5 through 2.0.7, where hackers embedded harmful code within JSON files used for displaying animations on various websites.
Reports indicate that at least one individual has lost 10 BTC (approximately $723,000) after unwittingly signing a phishing transaction linked to the breach, according to Scam Sniffer, a platform dedicated to safeguarding users from online fraud.
Blockaid, a cybersecurity platform monitoring the incident, confirmed on Wednesday that the attackers deployed a fake wallet connection prompt. This deceptive tactic led users to "Ace Drainer," a malware program designed to mimic legitimate wallet connections and steal funds. The harmful code embedded in Lottie Player’s files turned seemingly innocent animations into potential entry points for scams. When users visited affected sites, they encountered fake pop-ups prompting them to connect their digital wallets, which were actually controlled by hackers, allowing unauthorized access to user funds.
In response to the attack, LottieFiles’ vice president of engineering, Jawish Hameed, announced on Wednesday that the compromised versions were removed from npm and replaced with a secure version (2.0.8). Hameed revealed that the breach involved the GitHub account of a senior engineer, from which attackers pushed three compromised updates in a mere three hours on Tuesday. LottieFiles has since revoked all access from the affected developer account and implemented additional measures to enhance security.
This incident highlights the increasing prevalence of supply chain attacks, where hackers infiltrate widely-used software relied upon by numerous websites. The compromised versions of Lottie Player were automatically integrated into many sites, significantly expanding the hackers’ reach. Decentralized aggregator platform 1inch, one of the primary targets of the attack, reassured users via social media that only its web dApp was affected, with the wallet app and core protocols remaining secure.
Security vulnerabilities in widely used libraries and tools have emerged as a critical concern, as hackers exploit these weaknesses to gain access to unsuspecting users' assets. This incident follows another alarming case earlier this month, where a PEPE token holder lost $1.39 million after unknowingly signing a malicious Permit2 transaction.
As the decentralized finance (DeFi) ecosystem continues to grow, the need for robust security measures becomes increasingly vital to protect users from evolving threats in the crypto landscape.
October 2024, Cryptoniteuae