While the npm package was compromised, preliminary investigations indicated that LottieFiles' other services, including its dotlottie player and open-source libraries, remained unaffected.

LottieFiles, a platform known for creating and sharing vector-based animations, recently faced a security breach involving its npm package, which led to the distribution of compromised versions 2.0.5, 2.0.6, and 2.0.7.

These malicious versions prompted users to connect their cryptocurrency wallets, resulting in at least one reported victim who lost approximately 10 Bitcoin, valued at over $723,000.

The attack exploited vulnerabilities in third-party content delivery networks (CDNs), allowing many users who did not pin their package versions to automatically receive the compromised updates.

The breach was traced back to a phishing attack that led to the theft of a session token, enabling the deployment of the malicious code.

In response to the incident, LottieFiles activated its incident response plan, isolated affected devices, and engaged external experts for a thorough investigation.

The company quickly removed the malicious versions and released a safe update (version 2.0.8), urging users to upgrade immediately and verify the integrity of the update.

To mitigate future risks, users are advised to adopt best practices such as pinning dependencies, implementing a Content Security Policy, and following security recommendations from LottieFiles.

The compromised versions included a callback to phishing sites that acted as a Command and Control server for the wallet-draining operation.

LottieFiles is conducting an ongoing investigation with external experts to determine the full scope of the attack and has not confirmed the total number of victims or losses.

The incident highlights a broader trend of wallet-draining attacks within the cryptocurrency community, emphasizing the importance of security in software dependencies.

As part of its security measures, LottieFiles has revoked access tokens and stripped the developer account responsible for the tampered versions of its access.