{"id":"MAL-2024-10301","summary":"Malicious code in @lottiefiles/lottie-player (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: google-open-source-security (faa879b0fa360852899250846599b4b81d442b942d5e4fec4101044400272af1)\nThe NPM package @lottiefiles/lottie-player had unauthorized new versions published\nthat contained malicious code.\n\nThe malicious code prompted for users to connect crypto wallets.\n","modified":"2024-10-31T23:17:47Z","published":"2024-10-31T23:17:47Z","database_specific":{"malicious-packages-origins":[{"sha256":"faa879b0fa360852899250846599b4b81d442b942d5e4fec4101044400272af1","source":"google-open-source-security","versions":["2.0.5","2.0.6","2.0.7"],"modified_time":"2024-10-31T23:17:47Z","import_time":"2024-10-31T23:21:21.099965Z"}]},"references":[{"type":"REPORT","url":"https://github.com/LottieFiles/lottie-player/issues/254"},{"type":"ARTICLE","url":"https://thehackernews.com/2024/10/lottiefiles-issues-warning-about.html"},{"type":"WEB","url":"https://x.com/LottieFiles/status/1851848602093777273"}],"affected":[{"package":{"name":"@lottiefiles/lottie-player","ecosystem":"npm","purl":"pkg:npm/%40lottiefiles/lottie-player"},"versions":["2.0.5","2.0.6","2.0.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@lottiefiles/lottie-player/MAL-2024-10301.json"}}],"schema_version":"1.7.3"}