Malicious code in @antv/g-lottie-player (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

EUVD-2025-12123

Malicious code in bioql PyPI...

PT-2025-18380 · WordPress · Lottie Player

Name of the Vulnerable Software and Affected Versions: AM LottiePlayer plugin for WordPress versions up to, and including, 3.5.3 Description: The issue is related to Stored Cross-Site Scripting via uploaded lottie files due to insufficient input sanitization and output escaping. This allows...

CVE-2025-2579

The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to...

CVE-2025-2579

The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to...

CVE-2025-2579

CVE-2025-2579 (Lottie Player for WordPress) : The plugin versions up to 1.1.8 are vulnerable to Stored Cross-Site Scripting via file uploads due to insufficient input sanitization/output escaping. Exploitation requires authenticated access at Author level or higher, enabling injection of scripts ...

CVE-2025-2579 Lottie Player <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload

The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to...

CVE-2025-2579 Lottie Player <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload

The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to...

WordPress plugin Lottie Player 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

PT-2025-17710 · WordPress · Lottie Player

Name of the Vulnerable Software and Affected Versions: Lottie Player plugin for WordPress versions up to, and including, 1.1.8 Description: The issue is related to Stored Cross-Site Scripting via File uploads due to insufficient input sanitization and output escaping. This allows authenticated...

WordPress Lottie Player plugin <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload vulnerability

Authenticated Author+ Stored Cross-Site Scripting via File Upload vulnerability discovered by Avraham Shemesh in WordPress Plugin Lottie Player block - Implement Lottie animations. versions = 1.1.8...

MAL-2024-10301 Malicious code in @lottiefiles/lottie-player (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security faa879b0fa360852899250846599b4b81d442b942d5e4fec4101044400272af1 The NPM package @lottiefiles/lottie-player had unauthorized new versions published that contained malicious code. The malicious code...

Malicious code in @lottiefiles/lottie-player (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security faa879b0fa360852899250846599b4b81d442b942d5e4fec4101044400272af1 The NPM package @lottiefiles/lottie-player had unauthorized new versions published that contained malicious code. The malicious code...

@aigne/agent-v1 (>=1.0.12 <=1.0.17), @aigne/runtime (>=1.0.1 <=1.0.17) +39 more potentially affected by unknown CVE via @lottiefiles/lottie-player (=2.0.12)

@lottiefiles/lottie-player NPM version =2.0.12 is affected by a known vulnerability. The following packages have a transitive dependency on @lottiefiles/lottie-player and may be impacted: - @aigne/agent-v1 =1.0.12, =1.0.1, =1.0.12, =0.4.193, =0.3.9, =1.6.234, =1.6.254, =1.6.234, =1.6.234, =0.2.37...

Supply chain attack on lottie-player: everything you need to know

Supply chain attack in popular lottie-player library compromises websites with malicious Web3 wallet prompts – update or revert the library to avoid the compromised versions...

Malicious code in fk-react-lottie-player (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 33691a695b98097014a383d3aaf0e290cf4b6c6793c824ab4324aebe7ea66e3c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...