In a major coordinated attack on the web3 space, on-chain sleuths discovered a massive supply chain attack on Lottie Player earlier today. According to the LottieFiles team, the attackers managed to plug in bugs into several Lottie Player versions – including 2.05, 2.06, and 2.0.7. Notably, the said versions were uploaded and published on GitHub’s npm platform.
“The unauthorized versions contained code that prompted for connecting to user’s crypto wallets. A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release,” the LottieFiles team noted.
The LottieFiles team is currently investigating the incident as it is believed that a developer with the required privileges facilitated the attack. The LottieFiles team noted that it has published a new safe version dubbed 2.0.8, which is a copy of the original Lottie Player version 2.0.4.
Most importantly, the LottieFiles team has unpublished the compromised package versions from the npm platform to mitigate further damage.
Additionally, the LottieFiles team removed all access and associated service accounts of the impacted developer.
Impact of the Lottie Player Supply Chain Attack
According to the on-chain analysis platform Scam Sniffer, the Lottier Player supply chain attack compromised major decentralized applications (Dapps) led by 1inch (1INCH), and Movement network. With the attacker having the motive of draining users’ funds, the 1inch protocol has pledged to refund all the affected users through its network.
Meanwhile, the 1-inch team has advised all affected users to revoke the ERC20 smart contract approvals from malicious addresses using revoke.cash to prevent further harm. According to on-chain data analysis, a web3 user lost 10 Bitcoins, worth over 720k, earlier today due to the Lottie Player supply chain attack.