he popular NPM package @lottiefiles/lottie-player enables developers to seamlessly integrate Lottie animations into websites and applications.
On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package.
The package maintainers replied and confirmed the attackers were able to take over the NPM package using a leaked automation token which was used to automate publications of NPM packages.
The malicious code displays a UI overlay, asking to connect the crypto wallets by clicking or scanning a QR. By doing so, this prevent usage of the infected website
This is yet another reminder on how sensitive the software supply chain is
Would MFA Have Prevented This?
Multifactor authentication is designed to challenge humans. There are three authentication factors that can be used and 2FA requires two:
- something you know (like a password)
- something you have (like a one-time-use token)
- something you are (a biometric identity like a fingerprint or a speech pattern)
Going back two years ago – NPM decided to enforce 2FA on all users. Great move on NPM side as we witnessed many account takeover incidents happening.
Sounds Great, Doesn’t Work (?)
While this does secure NPM account takeover attacks from the interactive login page, enforcing 2FA on all accounts comes with a side-effect:
- non-human identities can’t answer 2FA challenges.
So, when you define an NPM automation token — whoever gets your long-auto generated password is able to bypass your 2FA controls to make new version releases.
Back to @lottiefiles/lottie-player , even with 2FA configured, the threat actors somehow got the NPM automation token set in the CI/CD pipeline to automate version releases to publish the malicious versions 2.0.5, 2.0.6, and 2.0.7 of the npm package
The Malicious Code
All it does is displaying a UI overlay to steer the victim’s focus on connecting its crypto wallets to the malicious interface.
Demo: lottie-player Taken Over by Attackers
Conclusion
Kudus to the package maintainers for quickly releasing an incident response report
Freeze your deps tightly. Don’t rush to update to the latest if it’s not a security update and it’s a new release.
Check and make sure you don’t have the malicious versions 2.0.5, 2.0.6, and 2.0.7 of lottie-player npm package.
The incident highlighted limitations of 2FA in automation environments, as automation tokens bypass these controls. This can happen to any major project.