Crypto Hackers Strike Again: Lottie Player Compromised, Users Lose 10 BTC!

3 weeks ago 19

Radiant Capital Hack How a Multisig Flaw Led to a $50M Loss

The post Crypto Hackers Strike Again: Lottie Player Compromised, Users Lose 10 BTC! appeared first on Coinpedia Fintech News

In a major coordinated attack on the web3 space, on-chain sleuths discovered a massive supply chain attack on Lottie Player earlier today. According to the LottieFiles team, the attackers managed to plug in bugs into several Lottie Player versions – including 2.05, 2.06, and 2.0.7. Notably, the said versions were uploaded and published on GitHub’s npm platform.

“The unauthorized versions contained code that prompted for connecting to user’s crypto wallets. A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release,” the LottieFiles team noted.

Immediate Mitigating Action

The LottieFiles team is currently investigating the incident as it is believed that a developer with the required privileges facilitated the attack. The LottieFiles team noted that it has published a new safe version dubbed 2.0.8, which is a copy of the original Lottie Player version 2.0.4.

TLDR: Massive Supply Chain attack had been happening on the highly popular JS Library lottie-player since ~2 hours ago that populates attackers Web3 wallet connection pop-up on legitimate websites.

I'll write here what we know, what can be done and how to detect it in the wild.… pic.twitter.com/aX4DIj7Olp

— Nagli (@galnagli) October 31, 2024

Most importantly, the LottieFiles team has unpublished the compromised package versions from the npm platform to mitigate further damage.

Additionally, the LottieFiles team removed all access and associated service accounts of the impacted developer.

Impact of the Lottie Player Supply Chain Attack

According to the on-chain analysis platform Scam Sniffer, the Lottier Player supply chain attack compromised major decentralized applications (Dapps) led by 1inch (1INCH), and Movement network. With the attacker having the motive of draining users’ funds, the 1inch protocol has pledged to refund all the affected users through its network.

Meanwhile, the 1-inch team has advised all affected users to revoke the ERC20 smart contract approvals from malicious addresses using revoke.cash to prevent further harm. According to on-chain data analysis, a web3 user lost 10 Bitcoins, worth over 720k, earlier today due to the Lottie Player supply chain attack.

Read Entire Article