/plushcap/analysis/snyk/snyk-lottie-player-npm-package-compromised-crypto-wallet-theft

Lottie Player npm package compromised for crypto wallet theft

What's this blog post about?

On October 31st, 2024, the popular npm library @lottiefiles/lottie-player was found to contain malicious code prompting users to connect their crypto wallets. The malicious code was added after an npm registry account token used for publishing packages was compromised. Safe and vulnerable version ranges for Lottie Player npm package are provided, along with instructions on how to use Snyk to determine if you have installed the malicious versions. This incident follows a similar attack vector that impacted the Polyfill library in June 2024, attempting to steal cryptocurrency through a crypto wallet financial theft.

Company
Snyk

Date published
Oct. 31, 2024

Author(s)
Liran Tal

Word count
825

Hacker News points
2

Language
English


By Matt Makai. 2021-2024.