Non Cult Crypto News

Non Cult Crypto News

in

Crypto apps see malicious popups after Ace Drainer hacks animation library

The popular Lottie Player animations library was hacked to push a crypto-draining popup on multiple websites, which has now been fixed.

COINTELEGRAPH IN YOUR SOCIAL FEED

The front-end websites of several online crypto apps were compromised on Oct. 30 after attackers injected malicious code into an update of a popular and widely used animation library.

Decentralized finance apps, including 1inch and TEN Finance, showed popups asking users to connect their wallet, which was actually for the crypto drainer “Ace Drainer,” crypto security platform Blockaid said in an Oct. 30 X post.

Gal Nagli, a security lead at cybersecurity firm Wiz, explained the compromise was from a “massive supply chain attack” on the Lottie Player library — a hugely popular service that provides animations for sites and apps, boasting users like Apple, Spotify, and Disney.

Source: Blockaid

The attack is unique as it injected a malicious popup into a seemingly otherwise unaffected website. Attackers typically breach highly-followed social media accounts to trick followers into clicking phishing links on fake websites.

Jawish Hameed, the engineering vice president at LottieFiles — the firm that publishes the animations library — wrote on GitHub the affected library versions had been removed and urged users to install the latest version.

He said that attackers compromised the GitHub account of a LottieFiles’ senior software engineer and pushed three malicious updates in three hours, adding it had “removed the compromised account access.”

Related: Hacker behind fake Bitcoin ETF X post pleads not guilty

Wiz’s Nagli said users were seeing the malicious crypto wallet connection popup “on popular websites all across the internet.”

“It seems that the original attack intent was to target major crypto websites who utilize the library,” he added.

Nagli warned that websites that still use the affected library versions “are probably still vulnerable,” saying users should check if sites are using the non-malicious packages — either version 2.0.4 or the latest 2.0.8.

LottieFiles did not immediately respond to a request for comment.

Crypto-Sec: 2 auditors miss $27M Penpie flaw, Pythia’s ‘claim rewards’ bug

This article first appeared at Cointelegraph.com News

What do you think?

Written by Outside Source

Robinhood doubles crypto trading volume, but shares dip 12% on Q3 earnings

BlackRock’s Bitcoin ETF hits record inflow amid crypto market rally

Back to Top

Ad Blocker Detected!

We've detected an Ad Blocker on your system. Please consider disabling it for Non Cult Crypto News.

How to disable? Refresh

Log In

Or with username:

Forgot password?

Don't have an account? Register

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

To use social login you have to agree with the storage and handling of your data by this website.

Add to Collection

No Collections

Here you'll find all collections you've created before.