LottieFiles hit in npm supply chain attack targeting users' crypto

LottieFiles announced that specific versions of its npm package carry malicious code that prompts users to connect their cryptocurrency wallets so they can be emptied.

As discovered yesterday, following multiple user reports about strange code injections, the affected versions are Lottie Web Player (“lottie-player”) 2.0.5, 2.0.6, and 2.0.7, all published yesterday.

LottieFiles quickly released a new version, 2.0.8, which is based on the clean 2.0.4, advising users to upgrade to it as soon as possible.

See more: https://www.bleepingcomputer.com/news/security/lottiefiles-hit-in-npm-supply-chain-attack-targeting-users-crypto/

#cybersecurity #crypto