The popular Lottie Player animations library was hacked to push a crypto-draining popup on multiple websites, which has now been fixed.
The front-end websites of several online crypto apps were compromised on Oct. 30 after attackers injected malicious code into an update of a popular and widely used animation library.
Decentralized finance apps, including 1inch and TEN Finance, showed popups asking users to connect their wallet, which was actually for the crypto drainer “Ace Drainer,” crypto security platform Blockaid said in an Oct. 30 X post.
Gal Nagli, a security lead at cybersecurity firm Wiz, explained the compromise was from a “massive supply chain attack” on the Lottie Player library — a hugely popular service that provides animations for sites and apps, boasting users like Apple, Spotify, and Disney.
