攻擊者將惡意程式碼注入動畫庫更新後 1inch 遭到攻擊

10月30日，1inch用戶遇到意外出現的惡意彈跳窗，敦促他們連接錢包。

A recent attack on 1inch, a decentralized exchange aggregator, saw attackers injecting malicious code into an animation library update to compromise users.

最近對去中心化交易所聚合器 1inch 的攻擊表明，攻擊者將惡意程式碼注入動畫庫更新中以危害使用者。

The attackers specifically targeted the popular Lottie Player animation library, which is used by major companies like Apple, Spotify, and Disney for creating engaging user interfaces.

攻擊者專門針對流行的 Lottie Player 動畫庫，Apple、Spotify 和 Disney 等大公司使用該程式庫來創建引人入勝的使用者介面。

According to Blockaid, a web3 security firm, the attackers used this library to inject malicious popups into websites that appeared unexpectedly, urging users to connect their wallets. These prompts were designed to redirect users to a crypto drainer, known as “Ace drainer,” which was disguised as a standard wallet connection request.

據 web3 安全公司 Blockaid 稱，攻擊者利用該庫向意外出現的網站注入惡意彈出窗口，並敦促用戶連接錢包。這些提示旨在將用戶重新導向到名為「Ace Drainer」的加密 Drainer，它偽裝成標準錢包連接請求。

In a post-incident report, 1inch stated that only its web dApp was affected by this attack, while all other platforms, including its mobile app and API services, remained unaffected. The team also mentioned that some users might have been affected by this incident but assured that any losses would be refunded.

1inch 在事後報告中表示，只有其 Web dApp 受到此次攻擊的影響，而包括其行動應用程式和 API 服務在內的所有其他平台均不受影響。團隊也提到，部分用戶可能受到此事件的影響，但保證會退還任何損失。

To mitigate the attack, the developers urged users to “revoke ERC20 approvals from malicious addresses” and highlighted that they were “strengthening dependency management for enhanced security.”

為了減輕攻擊，開發人員敦促用戶“撤銷惡意位址的 ERC20 批准”，並強調他們正在“加強依賴管理以增強安全性”。

According to cybersecurity researcher Gal Nagli, the breach occurred as a part of a large-scale supply chain attack on the Lottie Player animation library. This library is widely used for web animations by companies like Apple, Spotify, and Disney to create engaging user interfaces.

網路安全研究員 Gal Nagli 表示，這次洩漏是針對 Lottie Player 動畫庫的大規模供應鏈攻擊的一部分。該庫被 Apple、Spotify 和 Disney 等公司廣泛用於網頁動畫，以創建引人入勝的使用者介面。

The attackers initially breached the GitHub account of a senior software engineer at LottieFiles, the publisher of the Lottie Player library. Using this access, the attackers pushed three malicious updates within a span of three hours. These updates contained code that injected a malicious popup into websites using the library.

攻擊者最初入侵了 LottieFiles（Lottie Player 庫的發行商）的高級軟體工程師的 GitHub 帳戶。利用此存取權限，攻擊者在三個小時內推送了三個惡意更新。這些更新包含使用該程式庫將惡意彈出視窗注入網站的程式碼。

While the attack was originally targeted towards web3 firms, Nagli warned that other websites using the affected library versions also remained vulnerable. At press time, the affected libraries had been removed from GitHub, and users were asked to upgrade to the latest version.

雖然攻擊最初針對的是 web3 公司，但 Nagli 警告說，使用受影響庫版本的其他網站也仍然容易受到攻擊。截至發稿，受影響的庫已從 GitHub 上刪除，並要求用戶升級到最新版本。

Cybersecurity firm Scam Sniffer reported in an Oct. 31 X post that at least one victim had lost 10 BTC, which was roughly valued at $723,436 at the time, after signing a phishing transaction, which was likely connected to the supply chain attack on Lottie Player.

網路安全公司 Scam Sniffer 在 10 月 31 日的一篇貼文中報告稱，至少一名受害者在簽署釣魚交易後損失了 10 BTC，當時價值約為 723,436 美元，這可能與 Lottie Player 的供應鏈攻擊有關。