Inside the Lottie-Player Attack: Uncovering Supply Chain Threats Through Behavioral Analysis
In-depth analysis of the Lottie supply chain attack and how behavioral insights help thwart such threats.
June 10, 2024
GuideProductivityOn October 30, 2024, the JavaScript and cryptocurrency communities experienced a wake-up call: a sophisticated supply chain attack on the widely-used npm package @lottiefiles/lottie-player. This attack resulted in substantial financial loss—approximately 10 BTC (~$800,000) stolen within hours. The incident demonstrates how emerging threats exploit weaknesses in existing security practices and highlights the critical role of runtime behavioral analysis. At Listen.dev, our analysis dives into the attack’s novel techniques and the impact on the community. Here’s what we uncovered and why this attack calls for a shift in supply chain security.
Timeline and Initial Impact
The attackers moved quickly, exploiting a compromised developer token to release several malicious versions of the @lottiefiles/lottie-player
package:
18:12 UTC, Oct 30: Compromised Version 2.0.5 published on npm.
19:03 UTC: Version 2.0.6 published with slight modifications to the payload.
19:57 UTC: Version 2.0.7 published, completing the attack vector.
22:30 UTC: Users reported suspicious wallet connection prompts, leading to the discovery of the compromise.
In just under three hours, three malicious versions spread across millions of users, leveraging CDNs to maximize distribution and reach an expansive target audience without detection.
Attack chain analysis
Entry Point: Compromised Maintainer Credentials
The breach began with the exploitation of compromised developer credentials, allowing the attackers to release malicious updates to versions 2.0.5, 2.0.6, and 2.0.7.
This tactic, known as Account Take Over (ATO), mirrors strategies used in attacks like the Ledger incident, spotlighting a persistent vulnerability in software supply chains.
Dynamic Payload Loading from Trusted CDN
In compromised package versions, the malicious payloads were distributed using the unpkg.com
CDN, which automatically updates to the latest version, and jsdelivr.net
CDN, which specifically served version 2.0.5. This is similar to attacks like Polyfill and Cloudflare's cdn.js, the malicious payload was dynamically loaded from a trusted CDN source.
Selective Activation with Environment Fingerprinting
Embedded within the malware were sophisticated checks designed to ensure activation only occurred within high-value targets, specifically environments associated with Web3 and substantial cryptocurrency assets.
async function validateEnvironment() {
const checks = await Promise.all([checkNodeVersion(), checkDependencies(), checkFileSystem()]);
const targetValidation = { wallet: await detectCryptoWallets(), value: evaluateTargetValue(), risk: calculateRiskScore() };
return executeIfTargetMet(checks, targetValidation);
}
Covert Command-and-Control (C2) via TURN/STUN Protocols
The attackers used TURN/STUN protocols to disguise their command-and-control traffic as legitimate WebRTC activity, evading standard network surveillance. This is novel and unusual channel in supply chain attacks, but builds upon the theme of covert exfiltration channels that are seen in recent attacks.
Steganography in Animation Metadata
The attack incorporated steganography by encoding C2 data within the animation metadata. This method hid malicious commands in plain sight.
function encodeCryptoData(walletData) {
return { v: '5.5.7', fr: 29.97, assets: [{ id: 'data', p: btoa(encodePayload(walletData)) }] };
}
Connections to suspicious sources like imghub.app
and castleservices01.com
using UDP protocol were observed which indicates the transmission of this payload
Detecting the attack early through behavioral anomalies
By comparing the behavior of the compromised versions against a baseline from benign versions (such as 2.0.3 and 2.0.4), Listen.dev was able detected several clear indicators of compromise. The following anomalies differentiated the malicious versions:
Unexpected Network Connections and Domains: Connections to cloudflare-eth.com and castleservices01.com indicated potential C2 or exfiltration servers not present in earlier, clean versions.
Web3 Engagement: Interactions with api.web3modal.org suggested an intent to manipulate Web3 wallet functionalities.
Peer-to-Peer Channels: Use of TURN/STUN protocols (turn.cloudflare.com, stun.cloudflare.com) for establishing covert communication channels, evading standard network security measures.
Network Traffic Surge: A notable increase in network activity, suggesting the establishment of a robust, redundant attack infrastructure.
The identified behaviors directly corresponded to the attackers’ strategic operations:
Wallet Compromise: Prompting for wallet connections through suspicious domains.
Stealthy Data Transfer: Using P2P channels for data exfiltration without detection.
Resilient Infrastructure: Leveraging multiple domains for operational continuity.
Indicators of Compromise (IoCs)
Identify potential exposure with these key IoCs:
Compromised Package Versions:
@lottiefiles/lottie-player versions 2.0.5, 2.0.6, 2.0.7
Suspicious Domains:
castleservices01.com (C2 domain)
api.web3modal.org (Wallet interaction)
cloudflare-eth.com (Phishing prompts)
Network Indicators:
Unusual TURN/STUN traffic
Connections to domains not seen in baseline behavior
Recommendations and Best Practices
Immediate Upgrade: Transition to version 2.0.8 or higher to mitigate the threat.
Advanced Detection: Employ runtime behavioral analysis to catch anomalies in real-time.
CI/CD Security: Rigorous monitoring and control of your build and deployment environments.
Dependency Pinning: Lock your library versions to avoid automatic updates to compromised software.
Security Education: Continuous learning and awareness to keep pace with evolving threats.