Various online crypto apps had their user-facing websites compromised on Wednesday (Oct 30) after malicious code was embedded into a popular animation library.
1inch and TEN Finance, among other decentralized apps, displayed pop-ups requesting users to connect wallets but due to actions from threat actors, this was the work of the crypto drainer, ‘Ace Drainer’.
The malicious code injection was confirmed by the X account of onchain security platform, Blockaid.
https://twitter.com/blockaid_/status/1851729469142372711
Blockaid followed up the initial alert with a full attack report and timeline on Thursday.
It detailed the massive supply chain attack on the Lottie Player Library, a widely used resource that provides content for sites such as Apple, Disney, and Spotify.
The report outlined how Blockaid “detected approximately 400 websites that were affected by this attack but estimated that many more were impacted.”
The incident was resolved within a couple of hours by Lottie with malicious versions removed from its NPM package. A clean, secure version was installed in its place to ensure all service users were protected.
Blockaid further stated it estimates many more websites were impacted than the 400 it identified, but due to the payload being a wallet drainer, it suspects only crypto users were left vulnerable.
Some websites “are probably still vulnerable”
As reported by Cointelegraph, a security chief at cybersecurity firm Wiz explained the proliferation of the attack.
Gal Nagli noted how users were seeing the malicious crypto wallet connection popup “on popular websites all across the internet.”
“It seems that the original attack intent was to target major crypto websites who (sic) utilize the library,” he continued.
Nagli warned websites that still use the affected library versions “are probably still vulnerable,” asking users to check if sites are using the updated, non-malicious packages — either version 2.0.4 or the most recent 2.0.8.
Image credit: Via Midjourney