Lessons from the LottieFiles Compromise

Published on November 11, 2024

Tweet from LottieFiles

LottieFiles hacked! In this post, we explore the cause and impact of the breach, and we recommend solutions to enhance customer safety by securing your open-source supply chain.

Overview

Last week, LottieFiles was compromised by a sophisticated supply chain attack. The attackers managed to compromise their network, add malicious code to their software and then deploy this code to compromise end users browsing sites with the malicious code. This has resulted in at least one person being compromised around losing over $723,000 (~10 BTC).

A number of controls could be used to prevent an attack like this working in the future, today we will deep dive into how this attack worked and what you can do to stay safe from such attacks in the future.

What Happened?

LottieFiles offers tooling to enable you to create and share animations as part of your websites and applications. The Lottie Player package was an older version of their software that has been discontinued and was currently in "maintenance mode". However, it was still being actively used and has received 100k downloads this week alone.


Diagram of how the compromise happened

According to LottieFiles, the attackers managed to gain access to their systems by successfully phishing one of their employees.

Once they had access the attackers managed to release new versions of the Lottie Player library to NPM, bypassing their entire SDLC process. This library was then distributed to CDNs (Content Delivery Networks) where it was accessible and used by websites across the web.

Many companies using Lottie Player had configured their systems to automatically pull the latest version from the CDN. As a result, when their sites refreshed, they unknowingly downloaded the compromised package, putting themselves and their users at risk.

What's the Impact?

This attack specifically targeted crypto wallets by deploying a crypto drainer. When you browsed to a compromised site you would be asked to connect any crypto wallets you had to the website. If you did, the malicious code would then attempt to transfer crypto funds from your account to theirs. As stated it's estimated at least $723,000 was stolen from one victim alone.

Additionally, there is a huge brand impact for LottieFiles here, as well as for the websites that unwittingly served the malware to their users. If you visited a website that tried to steal your crypto currency, you are much less likely to visit that website again.

Key Takeaways and Safeguards

The LottieFiles incident highlights several critical lessons and potential safeguards.

While open-source software is key to helping businesses move fast and stay competitive; it's important it is used responsibly to protect yourself and your customers from potential compromise.

Bird taking notes

1. Tech Companies Of All Sizes Could Be Impacted

Even companies not traditionally seen as high-value targets, like LottieFiles, can become access points for malware. Attackers can use compromised, low-risk software to laterally move and impact a broad array of downstream users.
This can turn a seemingly benign library into a threat vector for an entire ecosystem.

2. Using Open-Source Software Requires Accountability

Websites relying on open-source packages must be cautious, as vulnerabilities in these packages can allow attackers to exploit their platform and target customers. Beyond the potential financial impact, incidents like these can harm a company’s reputation, eroding user trust.

3. Implement Rigorous Release Protocols

Companies developing open-source packages can take steps to secure their release processes to prevent attacks like this from happening:

  • Strengthen Access Control: Prevent single engineers from having the power to release code updates unilaterally. Additionally, add MFA as a requirement for activities that carry greater risk, such as releasing new software.
  • Require Multiple Approvals for Releases: A dual-signature approach adds a layer of accountability and helps prevent single-point vulnerabilities.
  • Use Secure Pipelines for Package Releases: Avoid giving engineers direct access to edit package repositories; instead, use secure pipelines to monitor and control releases, even for older, maintenance-only code.

4. Limit Automatic Updates on Open-Source Dependencies

For companies utilising open-source packages, avoid auto-updating to the latest version by default. While CDNs offer convenience, automatic updates can pull in unvetted code, exposing your platform to potential vulnerabilities. Pin your dependencies to specific versions and include hashes to give you time to vet new updates in a controlled environment before releasing them. While doing this, it's important to review and update versions on a scheduled basis so the libraries you use don't go out of date exposing you to other public vulnerabilities.

Strengthen Your Security with OSSPREY

Understanding and addressing the risks associated with open-source software is crucial. At OSSPREY, we specialise in detecting and neutralising malware within your open-source supply chain before it impacts you or your customers. Protect your reputation, secure your users, and bolster your software security.

Bird taking notes If you’re ready to protect your open-source software and secure your supply chain, reach out to OSSPREY today.