The XRP Ledger Foundation has resolved a critical vulnerability within its official JavaScript SDK that could have exposed private keys, potentially allowing attackers to drain cryptocurrency wallets.

Security Patch Rolled Out for XRP Ledger npm Package

On April 22, the XRP Ledger Foundation released an updated version of its npm package, addressing the issue and ensuring safe functionality for developers using the XRP Ledger. The xrpl npm package is the official JavaScript/TypeScript library for interacting with the XRP Ledger, enabling developers to connect to the network, manage wallets, send transactions, and build decentralized applications.

The swift update came shortly after blockchain security firm Aikido identified suspicious activity in five newly published versions of the library.

Fake Versions of xrpl npm Package Identified

According to Aikido, malicious actors had uploaded compromised versions of the xrpl npm package to the npm registry, starting with version 4.2.1. These versions did not align with any official releases, raising early concerns that led to their discovery. The packages contained hidden code designed to steal private keys by transmitting them to a malicious domain controlled by the attackers.

“Bad actors put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets,” Aikido reported.

The malicious function was triggered whenever a new wallet was created, effectively handing control of the funds to the attackers. Aikido described the vulnerability as a “potentially catastrophic supply chain attack,” given the widespread usage of the xrpl npm package.

Scope of the Risk

The xrpl npm package sees over 140,000 weekly downloads and is integrated into numerous websites and applications within the XRP ecosystem. If left unaddressed, the backdoor could have compromised a significant portion of the network without detection.

The attackers refined their approach with each release, initially embedding the malicious code in built JavaScript files to avoid suspicion. Later versions, such as 4.2.3 and 4.2.4, included the backdoor directly in the TypeScript source files, making it harder to identify during code reviews.

Recommendations for Developers

Aikido researchers strongly advised developers to take immediate action:

  • Stop using affected versions of the xrpl npm package.
  • Rotate private keys or seed phrases that may have been exposed.
  • Scan network logs for connections to the malicious domain 0x9c.xyz.
  • Upgrade to the patched versions, 4.2.5 or 2.14.3, for continued security.

The XRP Ledger Foundation confirmed that the compromised packages had been removed and assured that key projects within the ecosystem, such as XRPScan, First Ledger, and Gen3 Games, were not impacted.

Market Reaction

Despite the incident, the XRP token remained resilient, climbing 7.4% over the past 24 hours to trade at $2.24 at the time of writing.

Previous Security Challenges

This vulnerability isn’t the first major incident the XRP Ledger has faced in recent months. Earlier this year, a temporary disruption in transaction validation halted the network for nearly an hour on February 5. Fortunately, no data loss occurred during that event.

Staying vigilant and proactive in addressing security risks is crucial for protecting the integrity of blockchain networks like the XRP Ledger. Developers are encouraged to regularly audit their dependencies and remain up-to-date with official releases to safeguard their projects and users.

Post Views: 0