A recent security breach has hit the decentralized exchange aggregator 1inch and other platforms like TEN Finance, stemming from malicious code embedded in the Lottie Player animation library.
This vulnerability affects versions 2.0.5 and later of Lottie Player, allowing unauthorized transactions that jeopardize users’ funds and personal information. Experts are urging users to steer clear of these platforms until the issues are fully addressed.
The attack originated from compromised JSON files within the Lottie Player library, enabling affected websites to perform unauthorized actions. According to Blockaid, a cybersecurity firm, the breach was linked to a corrupted npm package on Lottie Player’s content server.
Attackers managed to insert harmful scripts, even bypassing security measures. Alarmingly, legitimate sites outside the crypto realm may also be unwittingly distributing this malicious content. While 1inch has yet to release an official statement on the breach, the Lottie Player team is actively working to rectify the situation.
This incident highlights a troubling trend of escalating cyberattacks in the cryptocurrency space. The industry has seen increasingly sophisticated breaches, with recent hacks resulting in significant losses, such as $20 million stolen from the U.S. government and over $50 million from blockchain lender Radiant Capital due to compromised private keys.
In response to the growing threat, federal investigations into crypto crimes have ramped up. The FBI recently arrested Eric Council Jr. for allegedly hacking the SEC’s X (formerly Twitter) account and spreading false information about Bitcoin ETF approvals, which disrupted the market. Although he is currently in custody, authorities believe he may not be the primary orchestrator of the hack and are discussing a plea deal with him.
