A significant security breach has impacted multiple decentralized applications (dApps) following malicious code injections into Lottie Player, a popular JavaScript animation library. Hackers exploited recent updates to the library’s npm package. Embedding code into versions 2.0.5 through 2.0.7 that enabled phishing scams and drained user funds.
The breach’s financial impact is already severe, with at least one individual losing 10 BTC (approximately $723,000) after inadvertently authorizing a phishing transaction. According to Scam Sniffer, a fraud-detection platform. The breach has raised alarms across the dApp ecosystem as decentralized platforms scramble to secure their users.
Attack Mechanics: How Lottie Player Became an Entry Point
The attack began when malicious actors inserted harmful code into JSON files within recent versions of Lottie Player. When users visited websites using the compromised library. They encountered fake wallet connection prompts. These pop-ups, controlled by hackers, appeared as legitimate wallet connections. Deceiving users into granting access to their funds.
Cybersecurity platform Blockaid confirmed that attackers deployed “Ace Drainer,” a drainer malware designed to mimic legitimate wallet connections and drain user funds. Blockaid’s monitoring of the incident revealed how these compromised JSON animations were leveraged as a backdoor for phishing schemes. Making it easy for attackers to deploy fake wallet prompts on affected websites.
LottieFiles Responds: Remedial Steps and Version Update
LottieFiles acted quickly to mitigate the threat. Jawish Hameed, vice president of engineering at LottieFiles, confirmed that the company removed the affected versions from npm and released a safe update (version 2.0.8). The breach stemmed from the GitHub account of a senior engineer. Which hackers exploited to push three compromised updates within hours. LottieFiles has since revoked the compromised developer account’s access and implemented additional security measures to prevent future incidents.
Supply chain attacks like these pose substantial risks in the digital ecosystem. By infiltrating widely-used libraries, hackers can effectively reach a broad range of users through trusted platforms, making it difficult for unsuspecting individuals to recognize the threat until it’s too late.
1inch and Other Affected Platforms Respond
Decentralized aggregator platform 1inch, one of the primary targets of the attack, assured users on social media that only its web dApp was compromised. According to 1inch, its wallet app and core protocols were unaffected by the breach. As dApps continue to face escalating security risks, this incident highlights the importance of robust security measures for all components of their platforms.
Notably, this breach resembles a recent attack where a PEPE token holder lost $1.39 million after unknowingly signing a malicious Permit2 transaction, underscoring the growing frequency of security issues in crypto spaces.
Conclusion
The Lottie Player breach underscores the risks inherent in supply chain attacks on popular software libraries. For dApps relying on third-party libraries, the compromise serves as a reminder of the importance of continuous security monitoring. As platforms like LottieFiles work to reinforce their defenses, the incident reveals the critical need for heightened vigilance and proactive security practices in the evolving decentralized ecosystem.
Vested XOR 
Bitcoin 
Ethereum 
Tether 
Solana 
BNB 
USDC 
XRP 
Dogecoin 
Lido Staked Ether