Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malicious code in Lottie-Player CDN files #254

Closed
MrAhmedSayedAli opened this issue Oct 30, 2024 · 74 comments
Closed

Malicious code in Lottie-Player CDN files #254

MrAhmedSayedAli opened this issue Oct 30, 2024 · 74 comments

Comments

@MrAhmedSayedAli
Copy link

after i use
https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js
or
https://cdn.jsdelivr.net/npm/@lottiefiles/lottie-player@2.0.5/dist/lottie-player.min.js

This popup opens on my site.

image

image

image

@cassianogf
Copy link

Up

2 similar comments
@franciscoaguilars
Copy link

Up

@bnt4
Copy link

bnt4 commented Oct 30, 2024

Up

@MrAhmedSayedAli
Copy link
Author

When i open google Dev Tools

image

@bnt4
Copy link

bnt4 commented Oct 30, 2024

You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally.

@SergejKembel
Copy link

npm versions of this lib got updated few minutes ago https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

There is malicious code in last 2 versions. I think the NPM token for deployment was leaked somehow

@MrAhmedSayedAli
Copy link
Author

You can use Ctrl + F8 to disable breakpoints, then the debugger doesn't "stop" the website and you can use the dev tools normally.

image
image

@andres-frank
Copy link

up

@bnt4
Copy link

bnt4 commented Oct 30, 2024

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

@tomoconnor
Copy link

image

@MrAhmedSayedAli
Copy link
Author

https://cdnjs.cloudflare.com/ajax/libs/lottie-player/2.0.4/lottie-player.js Work Fine For Now

@edelciomolina
Copy link

Same here!
If you search for 'Ethereum,' you'll see many references to cryptocurrency wallets.

https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js

I chose to stop using it! Fortunately, we didn’t rely on it much!

@lukasnobody
Copy link

Just switched to airbnb lib.

Lottiefiles, i'm sorry but you're just like an French TV channel with credentials on the wall)

@lukasnobody
Copy link

lukasnobody commented Oct 30, 2024

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions

as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

@poozipotti
Copy link

+1 here to this, this is the last time it seems the actual code in this repo was updated:
8b37499
so 2.0.5 and 2.0.6 have code from ... somewhere?

could this commit also be related? This isn't really my area of expertise but if you look on beta there's a bunch of commits related to the secrets:
https://github.com/LottieFiles/lottie-player/commits/beta

@bnt4
Copy link

bnt4 commented Oct 30, 2024

npm versions got updated not even one hour ago; https://www.npmjs.com/package/@lottiefiles/lottie-player?activeTab=versions
as @SergejKembel said, virus seems to be in version 2.0.5 and higher.

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

Yeah, looks like the virus was directly deployed to npm. Maybe some secret got stolen.

@SergejKembel
Copy link

There is no 2.0.5 or 2.0.6 versions at all. 2.0.4 latest (on github) for 8 months, lol...

image

At least at GitHub releases - but you can trigger a manual deployment to npm if you have the npm token so you have a npm release and no GitHub release associated with it

@zarco-dev
Copy link

image

I have the same error, malware?

@alejandrotrevi
Copy link

Same here, deleted from my site, never coming back

@SergejKembel
Copy link

image

I have the same error, malware?

No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue)

@canelack
Copy link

I was doing some TryHackMe rooms and they use this library, so this popup showed up 😂
A good reminder that @latest versions should be avoided in production to reduce the risk of supply chain attacks.

@LuisReyes98
Copy link

2.0.4 looks safe for now

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>

@zarco-dev
Copy link

For a quick solution, what would be done? just delete these two scripts?

<script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script>

@franciscoaguilars
Copy link

For a quick solution, what would be done? just delete these two scripts?

<script src="https://unpkg.com/@lottiefiles/lottie-player@latest/dist/lottie-player.js"></script>
<script src="https://unpkg.com/@dotlottie/player-component@latest/dist/dotlottie-player.mjs" type="module"></script>

You should remove it from your scripts and if you have a package.json also delete it.

@alancesardasilvasouza
Copy link

alancesardasilvasouza commented Oct 30, 2024

versaolottie

I went back to 2.0.4 everything is normal

@baxtrax
Copy link

baxtrax commented Oct 30, 2024

To all of those who want to avoid this happening again, setup a CSP (Content Security Policy) so injected scripts like this can't happen. This is typically done in the headers of your website

@lukasnobody
Copy link

lukasnobody commented Oct 30, 2024

image
I have the same error, malware?

No - its a new feature. Please connect your wallet (just kidding - pls dont do that. Yes, its the same issue)

Have connected my wallet, something weird happening with balance. But hope LottieFiles have received this funds and soon will start a tender to buy KeePass.

@ransome-psl
Copy link

@zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>

@zarco-dev
Copy link

@zarco-dev , if you are using lottie-player would not delete the scripts. You can modify to a safe version as @LuisReyes98 suggests

<script src="https://unpkg.com/@lottiefiles/lottie-player@2.0.4/dist/lottie-player.js"></script>

Thanks!

@SergejKembel
Copy link

Looks like all the version after 2.0.1 is malicious, which makes sense as github only shows release till 2.0.1, all the other releases looks corrupt.

8b37499

2.0.4 is a commit on master

@bplv112
Copy link

bplv112 commented Oct 30, 2024

Oh looks like I stand corrected. 2.0.4 is the most recent safe version.
It is weird that it was never released on github though.

@PatchRequest
Copy link

Are the hackers lurking this thread?

We are already on twitter :)
https://x.com/CerastIntel/status/1851729392256311611

@jawish
Copy link
Collaborator

jawish commented Oct 30, 2024

Thanks for reporting this! We are tackling this now.

@Y8765
Copy link

Y8765 commented Oct 30, 2024

For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading.

@bronthulke
Copy link

For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading.

That won't help if you are using the "latest" version, though, right?

@quarryman
Copy link

For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading.

That won't help if you are using the "latest" version, though, right?

You can not use latest version with SRI

@nyxs
Copy link

nyxs commented Oct 30, 2024

I can conclude so far that:

  1. The code under "lottie-player.js" targets "app.1inch[.]io" website.
  2. Its primary goal is to connect to the user's crypto wallet
  3. It adds new blockchain networks to the wallet
  4. It enables interaction with smart contracts.

It doesn't seem like the code sends money directly somewhere, but there is ABI encoding logic there.

Continue investigating.

@gexly
Copy link

gexly commented Oct 30, 2024

For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading.

That won't help if you are using the "latest" version, though, right?

Latest version (2.0.5) from: https://cdnjs.com/libraries/lottie-player has SRI, but also malicious.

@mason-rogers
Copy link

mason-rogers commented Oct 30, 2024

I'd like to drop in and say that I've personally been receiving some phishing emails from fake npm domains, with invites to my own projects, as well as all of our staff members - and it's possible that's what happened here. I didn't click any links and so I'm not sure exactly what it does

image

@nyxs
Copy link

nyxs commented Oct 30, 2024

Who is "aidosmf aidosmf@gmail.com"?
@jawish Do you know him?
I saw it once in the npm info and his gone.

@mason-rogers
Copy link

@quarryman
Copy link

For the other guys mentioned how to deal with script that has been changed, you need to use SRI with file hash, then even if script got hijacked/injected, when you load it into your site, the hash wouldn't match and will drop the file from loading.

That won't help if you are using the "latest" version, though, right?

Latest version (2.0.5) from: https://cdnjs.com/libraries/lottie-player has SRI, but also malicious.

You should have control over integrity hash on your side for it to work

@nyxs
Copy link

nyxs commented Oct 30, 2024

@nyxs https://github.com/aidosmf

Yeah, but is he one of the owners here?
I mistakenly tagged you instead of @jawish

@nyxs
Copy link

nyxs commented Oct 30, 2024

2.0.7 is deprecated now, I guess it's @jawish
image

@mason-rogers
Copy link

@nyxs https://github.com/aidosmf

Yeah, but is he one of the owners here? I mistakenly tagged you instead of @jawish

Nw - yeah he appears to be, he's in the LottieFiles org

@jawish
Copy link
Collaborator

jawish commented Oct 30, 2024

We are still investigating but it seems like, as you folks have identified, @Aidosmf token was compromised.

The token was used to publish versions 2.0.5, 2.0.6, 2.0.7 in succession releases over 3 hours.

2.0.5 - pushed to npm at 8:12 PM GMT, 30 Oct 2024
2.0.6 - pushed to npm at 8:35 PM GMT, 30 Oct 2024
2.0.7 - pushed to npm at 9:57 PM GMT, 30 Oct 2024

We have removed the compromised account access and published a new 2.0.8 version that is a copy of the 2.0.4, for all those of you who are using the implicit latest tag via CDNs.

If you are using it by explicitly specifying the version and are using any of the affected versions, please change to 2.0.4 or 2.0.8. We have reached out to npm to help unpublish the affected versions as their web portal and CLI is not letting us unpublish the affected versions.

@teamgroove
Copy link

And what about the cdns? As long as they serve them, this is still a pandorras-box for eternity?
The crap should be deleted and overwritten with a blank file or redirected to a valid one. It breaks the integrity, of course.
Does our cdn-industry already have a solution to this in the semver-world they exisit in?

@teamgroove
Copy link

I realized i never thought about it, but the cdns then have a historicall trackrecord of every malware-breach. You can always go back and study malware, right?! Or reinfect. Hm.

@jkobus
Copy link

jkobus commented Oct 30, 2024

I created a copy of it for scientific purposes for anyone interested here:
https://gist.github.com/jkobus/57f7a198c521237d980753d9025893b8

@jawish
Copy link
Collaborator

jawish commented Oct 30, 2024

UPDATE:

The affected versions have now been removed from npmjs.com (2.0.5, 2.0.6, 2.0.7).

If you had once of these versions explicitly specified in package.json, please do bump to 2.0.8.

The new 2.0.8 release is being served on CDNs as the latest, that should fix the issue for many folks (but highly recommend using a fixed version as best practice). The compromised versions have been automatically removed from jsDeliver but not CDNjs.com so they are, currently, still accessible if accessed via the explicit version specifier.

@NagliNagli
Copy link

I've put up a Twitter recap and also Nuclei Template Detection for the specific versions above ^

https://x.com/galnagli/status/1851779972639363076

Template:

https://gist.github.com/NagliNagli/be5f4cb8be90a3c3985ef776b1b3dd73

@reallynattu
Copy link
Member

Incident Response for Recently Infected Lottie Web Player versions 2.05, 2.06, 2.07

Comm Date/Time: Oct 31st, 2024 04:00 AM UTC

Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees.

Immediate Mitigation Actions

  • Published a new safe version (2.0.8)
  • Unpublished the compromised package versions from npm
  • Removed all access and associated tokens/services accounts of the impacted developer

Impact

  • Versions 2.0.5, 2.0.6, 2.0.7 were published directly to npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges.
  • The unauthorized versions contained code that prompted for connecting to user’s crypto wallets.
  • A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix.

Recommended Steps

  • If using 2.0.5, 2.0.6 and 2.07 versions please update to the latest version 2.0.8
    SHA: sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ==
  • If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets.

Next Steps

  • LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise.
  • We have confirmed that our other open source libraries, open source code, Github repositories, and our SaaS were not affected.

If you believe you’re affected, don’t hesitate to reach out to us at priority_support@lottiefiles.com

@xmflsct
Copy link

xmflsct commented Oct 31, 2024

UPDATE:

The affected versions have now been removed from npmjs.com (2.0.5, 2.0.6, 2.0.7).

If you had once of these versions explicitly specified in package.json, please do bump to 2.0.8.

The new 2.0.8 release is being served on CDNs as the latest, that should fix the issue for many folks (but highly recommend using a fixed version as best practice). The compromised versions have been automatically removed from jsDeliver but not CDNjs.com so they are, currently, still accessible if accessed via the explicit version specifier.

Quick update for whoever is watching this issue. CDNJS now redirects the affected versions to 2.0.8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests