-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malicious code in Lottie-Player CDN files #254
Comments
Up |
2 similar comments
Up |
Up |
You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally. |
npm versions of this lib got updated few minutes ago https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions There is malicious code in last 2 versions. I think the NPM token for deployment was leaked somehow |
up |
npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions as @SergejKembel said, virus seems to be in version 2.0.5 and higher. |
|
Same here!
I chose to stop using it! Fortunately, we didn’t rely on it much! |
Just switched to airbnb lib. Lottiefiles, i'm sorry but you're just like an French TV channel with credentials on the wall) |
There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol... |
+1 here to this, this is the last time it seems the actual code in this repo was updated: could this commit also be related? This isn't really my area of expertise but if you look on beta there's a bunch of commits related to the secrets: |
Yeah, looks like the virus was directly deployed to npm. Maybe some secret got stolen. |
Same here, deleted from my site, never coming back |
I was doing some TryHackMe rooms and they use this library, so this popup showed up 😂 |
2.0.4 looks safe for now <script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script> |
For a quick solution, what would be done? just delete these two scripts? <script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script> |
You should remove it from your scripts and if you have a package.json also delete it. |
To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website |
@zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests
|
Thanks! |
2.0.4 is a commit on master |
Oh looks like I stand corrected. 2.0.4 is the most recent safe version. |
We are already on twitter :) |
Thanks for reporting this! We are tackling this now. |
For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading. |
That won't help if you are using the "latest" version, though, right? |
You can not use latest version with SRI |
I can conclude so far that:
It doesn't seem like the code sends money directly somewhere, but there is ABI encoding logic there. Continue investigating. |
Latest version (2.0.5) from: https://cdnjs.com/libraries/lottie-player has SRI, but also malicious. |
Who is "aidosmf aidosmf@gmail.com"? |
You should have control over integrity hash on your side for it to work |
Yeah, but is he one of the owners here? |
2.0.7 is deprecated now, I guess it's @jawish |
Nw - yeah he appears to be, he's in the LottieFiles org |
We are still investigating but it seems like, as you folks have identified, @Aidosmf token was compromised. The token was used to publish versions 2.0.5, 2.0.6, 2.0.7 in succession releases over 3 hours. 2.0.5 - pushed to npm at 8:12 PM GMT, 30 Oct 2024 We have removed the compromised account access and published a new 2.0.8 version that is a copy of the 2.0.4, for all those of you who are using the implicit latest tag via CDNs. If you are using it by explicitly specifying the version and are using any of the affected versions, please change to 2.0.4 or 2.0.8. We have reached out to npm to help unpublish the affected versions as their web portal and CLI is not letting us unpublish the affected versions. |
And what about the cdns? As long as they serve them, this is still a pandorras-box for eternity? |
I realized i never thought about it, but the cdns then have a historicall trackrecord of every malware-breach. You can always go back and study malware, right?! Or reinfect. Hm. |
I created a copy of it for scientific purposes for anyone interested here: |
UPDATE: The affected versions have now been removed from npmjs.com (2.0.5, 2.0.6, 2.0.7). If you had once of these versions explicitly specified in package.json, please do bump to 2.0.8. The new 2.0.8 release is being served on CDNs as the latest, that should fix the issue for many folks (but highly recommend using a fixed version as best practice). The compromised versions have been automatically removed from jsDeliver but not CDNjs.com so they are, currently, still accessible if accessed via the explicit version specifier. |
I've put up a Twitter recap and also Nuclei Template Detection for the specific versions above ^ https://x.com/galnagli/status/1851779972639363076 Template: https://gist.github.com/NagliNagli/be5f4cb8be90a3c3985ef776b1b3dd73 |
Incident Response for Recently Infected Lottie Web Player versions 2.05, 2.06, 2.07Comm Date/Time: Oct 31st, 2024 04:00 AM UTC Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees. Immediate Mitigation Actions
Impact
Recommended Steps
Next Steps
If you believe you’re affected, don’t hesitate to reach out to us at priority_support@lottiefiles.com |
Quick update for whoever is watching this issue. CDNJS now redirects the affected versions to |
after i use
https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js
or
https://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.js
This popup opens on my site.
The text was updated successfully, but these errors were encountered: