Lottie File Incidents: Case Studies of Third-Party Supply Chain Risks

This report details two Lottie-related security incidents: (1) an XSS exploit abusing lottie-web's expression evaluation that was used to show fake "Verify Wallet" pop-ups on CoinMarketCap via a malicious doodle, and (2) a supply-chain compromise of the @lottiefiles/lottie-player npm package where attacker-published versions prompted users to connect wallets. The document provides attack paths, PoC artifacts, detection steps, and recommended mitigations such as disabling expressions, enforcing CSP, pinning dependencies, and using SRI.