A major security breach has affected a number of decentralized applications (dApps), with the attack originating from malicious code injected into Lottery Player, a widely used JavaScript animation library.
The attack Exploited With recent updates of the Lottery Player npm package, specifically 2.0.5 to 2.0.7, hackers inject malicious code into JSON files that display animations on web pages.
At least one individual lost 10 BTC (US$723,000) after unknowingly signing a phishing transaction linked to the breach, it said. Cheater cheaterA platform designed to protect users from online fraud.
Blockaid, a cyber security platform that monitors the incident Confirmed On Wednesday, the attackers deployed a fake wallet connection request, which led users to the drain malware “Ace Drainer” and pretended to be legitimate connections to trick users.
According to Blockaid, the hackers added malicious code to the Lottery player files, turning these animations into an entry point for scams. Basically, when users visit sites with this hacked library, they are shown fake pop-ups asking them to link their digital wallets.
However, since these requests are controlled by hackers, they can gain unauthorized access to users' funds.
Jawish Hamid, vice president of engineering at Lotte Files, responded to the attack Confirmed The affected versions have been removed from npm, and a secure version (2.0.8) has been released.
LottieFiles suggested Decrypt For the people press release Regarding the division of events when asked for comments.
Hamed said the breach involved a senior engineer's GitHub account, where attackers pushed three compromised updates in three hours on Tuesday.
LottieFiles has removed all access from the affected developer account and taken additional steps to prevent future problems.
This type of “supply chain attack” — where hackers infiltrate widely used software that many websites rely on — could have far-reaching consequences. In this case, the hacked versions of the Lottery player were automatically uploaded to many websites, making it easy for hackers to gain access to users.
Decentralized assembly platform 1 inch, one of the main targets of the attack; calm down Users on social media only the web dApp is affected and the wallet app and core protocols remain secure.
Security problems in widely used libraries and tools have become a concern as hackers exploit vulnerabilities that allow them to access unsuspecting users' assets.
PEPE token holder at the beginning of this month disappeared $1.39 million after unknowingly signing a malicious Permit2 transaction.
Edited by Sebastian Sinclair.
Daily Debrief Newspaper
Start every day with top news stories, plus original features, podcasts, videos and more.
