On October 30, numerous significant crypto platforms observed an influx of dangerous popups that encouraged users to link their wallets. Information about the unauthorized access originated from a supply chain attack on the widely used Lottie Player animations library.
This JavaScript library which is used by popular websites including the ones run by Apple, Spotify, and Disney was manipulated to include a crypto-draining popup that targeted decentralized finance (DeFi) projects like 1inch and TEN Finance.
The details of the supply chain breach
LottieFiles’ GitHub account was attacked by obtaining a senior software engineer’s authentication data after which the attackers quickly released three updates containing malware in all.
Consequently, any site or app incorporating the hacked version of Lottie Player flooded the users with popups that led them to the said Ace Drainer crypto drainer. This approach was a departure from those previous methods, as it was essentially serving users ads through their favourite and most reliable crypto applications as opposed to sending out phishing links on other apps.
Industry response and security recommendations
When the attack was identified, LottieFiles deleted the malicious update and advised application developers to update to either the safer 2.0.4 version or the most recent 2.0.8 version of the library. Engineering vice-president at LottieFiles Jawish Hameed corroborated these changes, reimbursing that the afflicted versions had been removed from GitHub repositories.
Cybersecurity companies such as Wiz and Blockaid have discouraged users from relaxing, saying that some crypto websites may still show the malicious popup even when using the affected library versions.
Recently there has been growing use of trusted SLPs as attackers rely on them more often. Since the instances of scams and security breaches are on the increase, the platforms are encouraged to enhance the monitoring activities and include frequently updates to protect against other related threats in future.