"On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open-source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," Adnan wrote on the project's GitHub. This statement underscores the urgency and critical nature of the security breach, marking the moment when the incident was officially recognized by LottieFiles.
"This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees." This illustrates LottieFiles' commitment to user safety and their proactive approach to managing security incidents.
Nattu Adnan, co-founder and CTO at LottieFiles, confirmed on Thursday that a highly privileged developer had their account accessed via a stolen session token and attackers pushed malicious code to users. This highlights the vulnerability present in their developer account system, emphasizing the importance of securing access tokens.
Collection
[
|
...
]