Recent cybersecurity vulnerabilities have raised alarms, affecting both decentralized applications and various standard websites. A newly identified flaw poses a risk to dApps that utilize the Lottie Player, with attackers potentially exploiting this weakness. This development underscores the urgent need for caution among users operating within these digital environments.
What is Lottie Player?
Lottie Player, developed by engineers at Airbnb in 2017, allows for the seamless integration of animations created in Adobe After Effects into mobile and web applications. This framework has gained significant traction due to its efficiency and ease of use, making it a staple for numerous websites.
How Was the Attack Detected?
Blockaid, a cybersecurity service specializing in on-chain protection, has uncovered a supply chain attack targeting dApps using Lottie Player. This breach was confirmed shortly after a new version of the npm package was released, putting multiple legitimate dApps at risk of executing malicious activities.
The Blockaid team reported that:
- A potential supply chain attack affects dApps leveraging Lottie Player.
- Legitimate websites are now delivering harmful content.
- Critical codes within the software library have been compromised.
Given this alarming situation, users are advised to temporarily revoke permissions from their dApps and refrain from connecting their wallets to any applications for the time being.
