A recent supply chain attack on Lottie Player, a popular WordPress animation tool, resulted in losing 10 Bitcoin (BTC) from an Avalanche wallet.
This security breach exposed Web3 users to malicious links that compromised their wallets. The attack was part of a larger scheme targeting users of Ethereum and other EVM-compatible networks, using fake wallet connection prompts to drain assets.
Attack targets web3 users through popular wallets
The compromised versions of Lottie Player were used to display deceptive wallet connection prompts on various platforms. These prompts encouraged users to connect Web3 wallets like MetaMask and WalletConnect, ultimately allowing attackers to gain unauthorized access to their funds. The attack, which reportedly lasted for at least 12 hours, specifically impacted projects like 1inch and Mover. The decentralized exchange service 1inch, a widely used platform in the Ethereum ecosystem, may have exposed numerous wallets to these malicious scripts.
Blockaid and bubbles are also affected by malicious pop-ups
Security researchers from Blockaid have identified “Ace Drainer” as the likely origin of the attack. Blockaid and Bubble, another popular platform for building web applications, were also impacted by malicious pop-ups originating from the compromised Lottie Player scripts. During the attack window, users who interacted with these prompts risked signing away permissions that granted attackers ongoing access to their wallets. Once inside, the attackers swapped stolen tokens through decentralized exchanges like Uniswap and used metamask’s swap feature to convert stolen assets quickly.
Lottie player responds with a safe version release
In response to the attack, the Lottie Player team has released a secure update (version 2.0.8) and removed the compromised versions from NPM. The breach reportedly occurred due to a compromised access token from a developer’s account, allowing the attackers to publish three tainted script versions. To mitigate future risks, the team has recommended that affected sites revert to safe versions or remove the scripts entirely. Users are advised to revoke any permissions granted during the attack period, especially if they connected their wallets through unfamiliar links.
This incident highlights the growing threat of supply chain attacks targeting Web3 platforms and wallets, especially as the crypto market enters a new growth phase. Users are urged to exercise caution when connecting their wallets and to avoid granting unrestricted access for signing transactions.