CandleFocus

Animation Tool Lottie Player Hit by Supply Chain Attack, Causes $723K Bitcoin Theft

A major security breach has occurred in multiple decentralized applications (dApps) due to malicious code injected into the widely-used JavaScript animation library, Lottie Player. Hackers embedded malicious code into JSON files that display animations on websites. One individual has lost 10 BTC (approximately US$723,000) after unknowingly signing a phishing transaction connected to the breach. The attackers deployed a fake wallet connection prompt that led users to the "Ace Drainer" malware, which mimics legitimate connections to deceive users. The compromised Lottie Player versions were automatically pulled into many sites, making it easier for hackers to reach users. LottieFiles, the company behind Lottie Player, has removed the affected versions and released a safe version. The decentralized aggregator platform 1inch reassured users that only its web dApp was affected and that other components remain secure. This breach highlights the risks of supply chain attacks, where widely-used software is targeted by hackers.

Related News