Looking good now, no more popups. By the way, it started without any warning, and I haven’t updated my site or used that plugin. You can check all the plugins I’m using. I’d love to hear the root cause analysis.
1 Like
Would love to learn more about this as well.
It could be any plugin you’re using that uses the Lottie Files library.
It doesn’t require any type of update from your Bubble apps because the plugin likely references https://unpkg.com/@lottiefiles/lottie-player@latest (which references the latest version of the library) which contains the bad code.
From reading GitHub it looks like one of their developer’s NPM secret tokens must’ve been hijacked and used to make bad deploys directly to NPM because there are no PRs on GitHub for this.
jawish commented 1 hour ago
We are still investigating but it seems like, as you folks have identified, @Aidosmf token was compromised.
The token was used to publish versions 2.0.5, 2.0.6, 2.0.7 in succession releases over 3 hours.
2.0.5 - pushed to npm at 8:12 PM GMT, 30 Oct 2024
2.0.6 - pushed to npm at 8:35 PM GMT, 30 Oct 2024
2.0.7 - pushed to npm at 9:57 PM GMT, 30 Oct 2024We have removed the compromised account access and published a new 2.0.8 version that is a copy of the 2.0.4, for all those of you who are using the implicit latest tag via CDNs.
If you are using it by explicitly specifying the version and are using any of the affected versions, please change to 2.0.4 or 2.0.8. We have reached out to npm to help unpublish the affected versions as their web portal and CLI is not letting us unpublish the affected versions.
It looks like their VP of Engineering put a fix out for this in version 2.0.8 of the library
Edit: Lottie Files published a postmortem: x.com
I just saw that my code uses the ‘latest’, I should switch to yours
@dorilama thanks for the details
Nobody had mentioned anything like that previously in the thread. When capturing that code from lottie files directly, they provide the code with the ‘latest version’ using the @latest instead of the current player. I’d imagine a lot of plugin developers are finding the code in the same way I had. Good to know that and from now on, when using this code directly in the app via HTML, I’ll look to avoid the @latest and use a specific player as @julianno.09 does.
1 Like
Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7
Comm Date/Time: Oct 31st, 2024 04:00 AM UTC
Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees.
Immediate Mitigation Actions
- Published a new safe version (2.0.8)
- Unpublished the compromised package versions from npm
- Removed all access and associated tokens/services accounts of the impacted developer
Impact
- Versions 2.0.5, 2.0.6, 2.0.7 were published directly to npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges.
- The unauthorized versions contained code that prompted for connecting to user’s crypto wallets.
- A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix.
Recommended Steps
- If using 2.0.5, 2.0.6 and 2.0.7 versions please update to the latest version 2.0.8
SHA: sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ== - If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets.
Next Steps
- LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise.
- We have confirmed that our other open source libraries, open source code, Github repositories, and our SaaS were not affected.
If you believe you’re affected, don’t hesitate to reach out to us at priority_support@lottiefiles.com
2 Likes
Such a crazy coincidence, I was thinking about installing this a few weeks ago and then I thought to myself “Nah it doesn’t seem worth the security risk just for animations” and then this happens.
1 Like
What did you see that highlighted potential security risks?
Nothing specific, just a bunch of little things. You can obviously have this happen with any 3rd party JS library, but their site was slow/buggy/glitchy and it just felt amateur and unpolished. My other concern was that you can possibly insert malicious code in the .JSON files instead of the animation code. Really didn’t like that the animation files used .JSON.
2 Likes
Just to confirm: Is it safe to install the plugin now??
1 Like
Help! i also have this issue but i dont have the lottie plugin, i do have 72 times an HTMLs with the lottie ifram code… What will be the best option? what should i do?
Do you still see the pop up?? I deleted the plugin yesterday and didn’t see it again.
There’s some code higher up this thread that you can add to your header to stop it
If you or your clients are a little anxious after this event - see this post on how to do a risk assessment of all the javascript libraries in use in your Bubbbe app.
This issue was resolved