Resolution of Security Incident with @lottiefiles/lottie-player Package

We’re sharing an important update on a security incident involving our @lottiefiles/lottie-player npm package. In this post, we’ll cover what happened, how we addressed it, and the steps we’re taking to ensure a stronger security posture moving forward.

Summary

All systems continue to operate normally, and we can confirm that no customer data, uploaded files, platform services, plugins, APIs, private animations, or workspaces were affected or compromised. None of our code repositories or infrastructure were compromised either. We have also confirmed that none of our code repositories or infrastructure or internal systems were breached or affected. This incident involved a compromise of the npmjs.com account of an authorized developer with access to the @lottiefiles scope, with the attacker publishing new versions with a Bitcoin drainer. This impacted a limited set of users relying on automatically pulling in the latest  versions of the @lottiefiles/lottie-player package, especially via public CDNs. We acted quickly to publish a clean version and worked with NPM and global CDN providers to remove the affected versions. We continue to be vigilant and remain committed to deliver the best service to our community. This has led us on a path to further improve our security posture and we thank you for your trust in us.

About @lottiefiles/lottie-player

The @lottiefiles/lottie-player package is a JavaScript-based web component that we previously recommended for displaying Lottie animations on websites. It was commonly included in our embed snippets until August 2023, after which we essentially switched it to maintenance mode and have not actively updated it. Our recommendations switched to the new dotLottie player, which brings major improvements in performance and security. dotLottie files are 80% smaller than traditional JSON Lottie files, making them faster to load and more secure.

The @lottiefiles/lottie-player remains widely used and accessible on npm, with over 90,000 downloads, and is still featured in examples on our site and others. For users interested in migrating to dotLottie, our developer portal provides full instructions.

Who Is Affected?

• CDN Users: Websites using @lottiefiles/lottie-player@latest directly from a CDN were temporarily affected by the malicious versions (2.0.5, 2.0.6, 2.0.7). Since the release of the safe version (2.0.8), these users are now served with the secure version.
• NPM Users: Users who added the package to their codebase via npm during the short time when the malicious versions were available should update to the latest safe version, 2.0.8, to resolve any issues.

Root Cause and Preventative Actions

Our investigation traced the incident to an account takeover (ATO) of an employee’s npm account due to a phishing attack. This allowed unauthorized versions (2.0.5, 2.0.6, 2.0.7) of @lottiefiles/lottie-player to be published directly to npmjs.com, bypassing the opensource Github repository and the release mechanisms, containing malicious code that triggered a “Connect Wallet” prompt. To prevent this from happening again, we have strengthened our package release process with enhanced authentication and access protocols, ensuring no single account can independently publish updates.

Actions Taken

To contain and mitigate the issue, we immediately:

• Published a secure version (2.0.8) of the @lottiefiles/lottie-player package on npm.
• Revoked individual developer access to our npm repositories and reset all npm keys.
• Coordinated with CDN providers to remove infected files globally.
• Quarantined the affected device for post-incident analysis.
• Within the first hour: we engaged with the cloud security & operations firm, Exaforce to help with rapid Incident Response, purge from CDN, implement NPM package provenance. The team at Exaforce continues to work with us to further improve our security posture and on-going cloud detection & response.

We extend our gratitude to CDN partners and community members who helped us quickly resolve this issue.

Next Steps and Enhanced Security Measures

While the @lottiefiles/lottie-player package was affected, we have confirmed that our other open-source libraries, including dotLottie libraries, GitHub repositories, and SaaS services were unaffected. As part of our commitment to enhancing security, we are conducting a thorough audit of all systems and implementing additional security protocols across our code delivery pipeline. Our third-party incident response experts are working around the clock to support this ongoing effort.

The open-source community and industry-wide package distribution systems need to be rethought. LottieFiles and Exaforce will come back with improvements and suggestions that we believe will benefit us and the open-source software (OSS) at large.

Guidance for Users

To ensure security, we recommend all users update to version 2.0.8 of @lottiefiles/lottie-player. For production environments, we advise specifying fixed versions rather than “latest” to minimize the risk of unplanned updates. These practices contribute to a more stable and secure experience with our libraries.

Our Commitment to Security

The trust of our community is our top priority, and we are dedicated to continuous improvement in our security practices. We remain vigilant, continue to monitor all systems, and will provide additional updates as needed. Thank you for your understanding, patience, and support as we work to ensure a safe experience with LottieFiles.

If you have any questions or believe you may have been affected, please reach out to us at [email protected]. For more details, see our Preliminary Incident Report.