Crypto apps hit by malware after animation library hack

Several online crypto applications experienced security breaches on October 30 due to malicious code injected into a widely used animation library.

Decentralised finance platforms like 1inch and TEN Finance displayed popups urging users to connect their wallets, which were linked to the crypto-draining malware “Ace Drainer,” according to a post from security platform Blockaid.

The breach stemmed from an attack on the Lottie Player library, a popular service that provides animations for websites and apps.

Lottie Player counts high-profile companies like Apple, Spotify, and Disney among its users.

Gal Nagli, a cybersecurity expert at Wiz, described it as a “massive supply chain attack” in which hackers inserted malicious popups onto otherwise legitimate websites.

Unlike traditional phishing attacks where scammers take over social media accounts to lure users to fake websites, this attack embedded harmful code into a legitimate library update.

This approach allowed attackers to target well-known crypto platforms that used the compromised library.

Jawish Hameed, vice president of engineering at LottieFiles, confirmed the breach on GitHub.

He explained that the attackers had compromised a senior software engineer’s GitHub account and pushed three harmful updates within three hours.

Hameed reassured users that the compromised versions had been removed, and he urged them to update to the safe versions, either 2.0.4 or the latest 2.0.8.

Nagli cautioned that users might still encounter the malicious popups on websites that haven’t updated to secure versions of the Lottie Player library.

He advised users to verify if sites are using the non-compromised versions to avoid the risk.