• Top online animation tool LottieFiles hacked to target victim cry

    From TechnologyDaily@1337:1/100 to All on Friday, November 01, 2024 10:45:05
    Top online animation tool LottieFiles hacked to target victim crypto wallets

    Date:
    Fri, 01 Nov 2024 10:33:18 +0000

    Description:
    LottieFiles project was hacked to prompt victims into connecting their wallets.

    FULL STORY ======================================================================

    A popular online animation tool was abused to trick people into handing over access to their cryptocurrency wallets, with at least one individual losing close to $700,000.

    LottieFiles is a platform that provides tools and a library for creating, editing, and sharing lightweight, scalable animations in the Lottie format. These animations, together with the plugin LottiePlayer, are commonly used in websites and mobile applications with 94,000 weekly downloads and has been downloaded more than 4 million times since its launch.

    Recently, an unnamed threat actor somehow obtained a session cookie from one of the developers of LottieFiles, and used that access to push three new versions of LottiePlayer (2.0.5, 2.0.6, and 2.0.7) to npmjs. Websites that
    use LottiePlayer and were configured to always use the latest version have
    had the malicious versions downloaded automatically. New version released

    These new versions prompted website visitors to connect their cryptocurrency wallets, which basically gives the site access to the stored funds. We dont know how many people fell for the trick and connected their wallets, but we
    do know that at least one person did, and it cost them 10 BTC , which is $696,960 at press time. This information came from Scam Sniffer , a Web3 anti-scam platform.

    "On October 30th ~6:20 PM UTC LottieFiles were notified that our popular
    open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code ," the projects co-founder and CTO, Nattu Adnan, wrote on GitHub. "This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees."

    The attacker was quickly ousted, and a new version - 2.0.8, pushed live. This is a copy of the last safe version, which was 2.0.4.

    "We have confirmed that our other open source libraries, open source code, GitHub repositories, and our SaaS were not affected."

    Via The Register More from TechRadar Pro Hackers stole billions of dollars of crypto in 2023 Here's a list of the best firewalls today These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/top-online-animation-tool-lottiefiles-h acked-to-target-victim-crypto-wallets


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)