Top online animation tool LottieFiles hacked to target victim crypto wallets

3 weeks ago

Migliori Bitcoin wallet (Image credit: Shutterstock / Wit Olszewksi)

A celebrated online animation instrumentality was abused to instrumentality group into handing complete entree to their cryptocurrency wallets, pinch astatine slightest 1 individual losing adjacent to $700,000.

LottieFiles is simply a level that provides devices and a room for creating, editing, and sharing lightweight, scalable animations successful nan Lottie format. These animations, together pinch nan plugin LottiePlayer, are commonly utilized successful websites and mobile applications pinch 94,000 play downloads and has been downloaded much than 4 cardinal times since its launch.

Recently, an unnamed threat character someway obtained a convention cooky from 1 of nan developers of LottieFiles, and utilized that entree to push 3 caller versions of LottiePlayer (2.0.5, 2.0.6, and 2.0.7) to npmjs. Websites that usage LottiePlayer and were configured to ever usage nan latest type person had nan malicious versions downloaded automatically.

New type released

These caller versions prompted website visitors to link their cryptocurrency wallets, which fundamentally gives nan tract entree to nan stored funds. We don’t cognize really galore group fell for nan instrumentality and connected their wallets, but we do cognize that astatine slightest 1 personification did, and it costs them 10 BTC, which is $696,960 astatine property time. This accusation came from Scam Sniffer, a Web3 anti-scam platform.

"On October 30th ~6:20 PM UTC – LottieFiles were notified that our celebrated unfastened root npm package for nan web subordinate @lottiefiles/lottie-player had unauthorized caller versions pushed pinch malicious code," nan project’s co-founder and CTO, Nattu Adnan, wrote connected GitHub. "This does not effect our dotlottie subordinate and/or SaaS services. Our incident consequence plans were activated arsenic a result. We apologize for this inconvenience and are committed to ensuring information and information of our users, customers, their end-users, developers, and our employees."

The attacker was quickly ousted, and a caller type - 2.0.8, pushed live. This is simply a transcript of nan past safe version, which was 2.0.4.

"We person confirmed that our different unfastened root libraries, unfastened root code, GitHub repositories, and our SaaS were not affected."

Sign up to nan TechRadar Pro newsletter to get each nan apical news, opinion, features and guidance your business needs to succeed!

Via The Register

More from TechRadar Pro

Hackers stole billions of dollars of crypto successful 2023
Here's a database of nan best firewalls today
These are nan best endpoint protection tools correct now

Sead is simply a seasoned freelance journalist based successful Sarajevo, Bosnia and Herzegovina. He writes astir IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, information breaches, laws and regulations). In his career, spanning much than a decade, he’s written for galore media outlets, including Al Jazeera Balkans. He’s besides held respective modules connected contented penning for Represent Communications.

Source Technology