攻击者将恶意代码注入动画库更新后 1inch 遭到攻击

10月30日，1inch用户遇到意外出现的恶意弹窗，敦促他们连接钱包。

A recent attack on 1inch, a decentralized exchange aggregator, saw attackers injecting malicious code into an animation library update to compromise users.

最近对去中心化交易所聚合器 1inch 的攻击表明，攻击者将恶意代码注入动画库更新中以危害用户。

The attackers specifically targeted the popular Lottie Player animation library, which is used by major companies like Apple, Spotify, and Disney for creating engaging user interfaces.

攻击者专门针对流行的 Lottie Player 动画库，Apple、Spotify 和 Disney 等大公司使用该库来创建引人入胜的用户界面。

According to Blockaid, a web3 security firm, the attackers used this library to inject malicious popups into websites that appeared unexpectedly, urging users to connect their wallets. These prompts were designed to redirect users to a crypto drainer, known as “Ace drainer,” which was disguised as a standard wallet connection request.

据 web3 安全公司 Blockaid 称，攻击者利用该库向意外出现的网站注入恶意弹出窗口，敦促用户连接钱包。这些提示旨在将用户重定向到名为“Ace Drainer”的加密 Drainer，它伪装成标准钱包连接请求。

In a post-incident report, 1inch stated that only its web dApp was affected by this attack, while all other platforms, including its mobile app and API services, remained unaffected. The team also mentioned that some users might have been affected by this incident but assured that any losses would be refunded.

1inch 在事后报告中表示，只有其 Web dApp 受到此次攻击的影响，而包括其移动应用和 API 服务在内的所有其他平台均不受影响。该团队还提到，部分用户可能受到此事件的影响，但保证会退还任何损失。

To mitigate the attack, the developers urged users to “revoke ERC20 approvals from malicious addresses” and highlighted that they were “strengthening dependency management for enhanced security.”

为了减轻攻击，开发人员敦促用户“撤销恶意地址的 ERC20 批准”，并强调他们正在“加强依赖管理以增强安全性”。

According to cybersecurity researcher Gal Nagli, the breach occurred as a part of a large-scale supply chain attack on the Lottie Player animation library. This library is widely used for web animations by companies like Apple, Spotify, and Disney to create engaging user interfaces.

网络安全研究员 Gal Nagli 表示，此次泄露是针对 Lottie Player 动画库的大规模供应链攻击的一部分。该库被 Apple、Spotify 和 Disney 等公司广泛用于网页动画，以创建引人入胜的用户界面。

The attackers initially breached the GitHub account of a senior software engineer at LottieFiles, the publisher of the Lottie Player library. Using this access, the attackers pushed three malicious updates within a span of three hours. These updates contained code that injected a malicious popup into websites using the library.

攻击者最初入侵了 LottieFiles（Lottie Player 库的发行商）的高级软件工程师的 GitHub 帐户。利用此访问权限，攻击者在三个小时内推送了三个恶意更新。这些更新包含使用该库将恶意弹出窗口注入网站的代码。

While the attack was originally targeted towards web3 firms, Nagli warned that other websites using the affected library versions also remained vulnerable. At press time, the affected libraries had been removed from GitHub, and users were asked to upgrade to the latest version.

虽然此次攻击最初针对的是 web3 公司，但 Nagli 警告说，使用受影响库版本的其他网站也仍然容易受到攻击。截至发稿，受影响的库已从 GitHub 上删除，并要求用户升级到最新版本。

Cybersecurity firm Scam Sniffer reported in an Oct. 31 X post that at least one victim had lost 10 BTC, which was roughly valued at $723,436 at the time, after signing a phishing transaction, which was likely connected to the supply chain attack on Lottie Player.

网络安全公司 Scam Sniffer 在 10 月 31 日的一篇帖子中报告称，至少一名受害者在签署钓鱼交易后损失了 10 BTC，当时价值约为 723,436 美元，这可能与 Lottie Player 的供应链攻击有关。