Malicious code in Lottie-Player CDN files #254
Comments
|
Up |
|
When i open google Dev Tools
|
|
You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally. |
|
npm versions of this lib got updated few minutes ago https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions There is malicious code in last 2 versions. I think the NPM token for deployment was leaked somehow |
|
|
up |
|
npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions as @SergejKembel said, virus seems to be in version 2.0.5 and higher. |
|
|
|
|
|
Same here! I chose to stop using it! Fortunately, we didn’t rely on it much! |
|
Just switched to airbnb lib. Lottiefiles, i'm sorry but you're just like an French TV channel with credentials on the wall) |
There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol... |
|
+1 here to this, this is the last time it seems the actual code in this repo was updated: could this commit also be related? This isn't really my area of expertise but if you look on beta there's a bunch of commits related to the secrets: |
Yeah, looks like the virus was directly deployed to npm. Maybe some secret got stolen. |
At least at GitHub releases - but you can trigger a manual deployment to npm if you have the npm token so you have a npm release and no GitHub release associated with it |
|
I have the same error, malware? |
|
Same here, deleted from my site, never coming back |
No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue) |
|
I was doing some TryHackMe rooms and they use this library, so this popup showed up 😂 |
|
2.0.4 looks safe for now <script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script> |
|
For a quick solution, what would be done? just delete these two scripts? <script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script> |
You should remove it from your scripts and if you have a package.json also delete it. |
|
I went back to 2.0.4 everything is normal |
|
To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website |
Have connected my wallet, something weird happening with balance. But hope LottieFiles have received this funds and soon will start a tender to buy KeePass. |
|
@zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests
|
Thanks! |
2.0.4 is a commit on master |
|
Oh looks like I stand corrected. 2.0.4 is the most recent safe version. |
We are already on twitter :) |
|
Thanks for reporting this! We are tackling this now. |
|
For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading. |
That won't help if you are using the "latest" version, though, right? |
You can not use latest version with SRI |
|
I can conclude so far that:
It doesn't seem like the code sends money directly somewhere, but there is ABI encoding logic there. Continue investigating. |
Latest version (2.0.5) from: https://cdnjs.com/libraries/lottie-player has SRI, but also malicious. |
|
I'd like to drop in and say that I've personally been receiving some phishing emails from fake npm domains, with invites to my own projects, as well as all of our staff members - and it's possible that's what happened here. I didn't click any links and so I'm not sure exactly what it does 
|
|
Who is "aidosmf aidosmf@gmail.com"? |
You should have control over integrity hash on your side for it to work |
|
Yeah, but is he one of the owners here? |
|
2.0.7 is deprecated now, I guess it's @jawish |
Nw - yeah he appears to be, he's in the LottieFiles org |
|
We are still investigating but it seems like, as you folks have identified, @Aidosmf token was compromised. The token was used to publish versions 2.0.5, 2.0.6, 2.0.7 in succession releases over 3 hours. 2.0.5 - pushed to npm at 8:12 PM GMT, 30 Oct 2024 We have removed the compromised account access and published a new 2.0.8 version that is a copy of the 2.0.4, for all those of you who are using the implicit latest tag via CDNs. If you are using it by explicitly specifying the version and are using any of the affected versions, please change to 2.0.4 or 2.0.8. We have reached out to npm to help unpublish the affected versions as their web portal and CLI is not letting us unpublish the affected versions. |
|
And what about the cdns? As long as they serve them, this is still a pandorras-box for eternity? |
|
I realized i never thought about it, but the cdns then have a historicall trackrecord of every malware-breach. You can always go back and study malware, right?! Or reinfect. Hm. |
|
I created a copy of it for scientific purposes for anyone interested here: |
|
UPDATE: The affected versions have now been removed from npmjs.com (2.0.5, 2.0.6, 2.0.7). If you had once of these versions explicitly specified in package.json, please do bump to 2.0.8. The new 2.0.8 release is being served on CDNs as the latest, that should fix the issue for many folks (but highly recommend using a fixed version as best practice). The compromised versions have been automatically removed from jsDeliver but not CDNjs.com so they are, currently, still accessible if accessed via the explicit version specifier. |
|
I've put up a Twitter recap and also Nuclei Template Detection for the specific versions above ^ https://x.com/galnagli/status/1851779972639363076 Template: https://gist.github.com/NagliNagli/be5f4cb8be90a3c3985ef776b1b3dd73 |
Incident Response for Recently Infected Lottie Web Player versions 2.05, 2.06, 2.07Comm Date/Time: Oct 31st, 2024 04:00 AM UTC Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees. Immediate Mitigation Actions
Impact
Recommended Steps
Next Steps
If you believe you’re affected, don’t hesitate to reach out to us at priority_support@lottiefiles.com |
Quick update for whoever is watching this issue. CDNJS now redirects the affected versions to |
and others
after i use
https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.jsor
https://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.jsThis popup opens on my site.
The text was updated successfully, but these errors were encountered: