Cryptocurrency users are familiar with such attacks, but recent vulnerabilities also affect several standard websites. A flaw detected a few minutes ago indicates that decentralized applications (dApps) utilizing Lottie may be compromised by attackers, alongside many other sites.
Alert for Cryptocurrency Users
In 2017, three engineers from Airbnb developed libraries for processing JSON animations on iOS and Android. This framework evolved into Lottie, a tool that exports animations created in Adobe After Effects as JSON files, simplifying the animation needs of websites. Its small file size and good integration and performance have led to widespread adoption.
Detection of a Supply Chain Attack
Returning to the main topic, Blockaid, which provides on-chain cybersecurity services, has detected an attack targeting dApps using the Lottie Player.
“Blockaid team identified a potential supply chain attack aimed at dApps utilizing Lottie Player. A new version of this npm package was released minutes ago, and multiple legitimate dApps are currently performing malicious operations.
Legitimate websites, including those not related to cryptocurrency, are now serving malicious content, including debugging prevention bypass codes.”
In its simplest form, some codes in the software’s code library were replaced with harmful codes that can damage users. It may be prudent to suspend your dApp permissions and not connect your wallets to applications for a few hours as a precautionary measure.