1inch frontend hit by major supply chain attack

Decentralised exchange aggregator 1inch (CRYPTO:1INCH) was compromised in a widespread supply chain attack that exploited vulnerabilities in the popular Lottie Player library.

The breach involved the injection of malicious code into the front-end library, affecting multiple decentralised apps (dApps) and non-crypto websites utilising Lottie Player.

The security incident specifically impacted Lottie Player versions 2.0.5 and above, where attackers embedded unauthorised scripts into JSON files on affected sites.

This malicious code enables unauthorised transactions, posing significant risks to users’ funds and sensitive data.

Security firm Blockaid reported, “Legitimate sites (non-crypto as well) are now delivering harmful content, including anti-debug evasion code.”

Users are strongly advised to refrain from connecting wallets or engaging with compromised websites until the security flaws are fully mitigated.

While no compromised wallets have been confirmed thus far, the situation remains precarious.

According to Blockaid, the attack originated from a compromised npm package, which was disseminated via Lottie Player’s content server.

Reports suggest that the attackers managed to infiltrate the library and push altered versions, targeting crypto platforms like 1inch and TEN Finance.

However, the full extent of the breach remains unclear, with the number of affected sites likely higher.

Lottie Player’s team has identified the root cause and is actively removing the compromised versions.

They urged users to ensure that websites are running either version 2.0.4 or the latest 2.0.8 to guarantee security.

At the time of reporting, the 1inch price was $0.2583.