- Blockchain security researcher from Alkido identified a serious vulnerability in the xrpl npm package v4.2.1-4.2.4 and v2.14.2.
- This package is used by hundreds of thousands of applications and websites that steal private keys as soon as a Wallet object is instantiated.
On April 22, the XRP Ledger Foundation issued an urgent security warning regarding a critical vulnerability in its official JavaScript library, xrpl.js, that developers use to interact with the XRP Ledger blockchain. The vulnerability was identified as a sophisticated supply chain attack, in which malware code was inserted in some versions of the xrpl.js package that can undermine the security of cryptocurrency wallets utilizing this library. Aikido Intel, Aikido’s public threat feed that uses LLMs to monitor the public package managers, discovered the vulnerability.
The affected versions of xrpl.js, specifically v4.2.1 through v4.2.4 and v2.14.2, contained a backdoor function named checkValidityOfSeed. The function was designed to pilfer private keys by sending them to an external unauthorized domain when generating or operating with a wallet.
The malware was inserted by an individual using the NPM account “mukulljangid,” which published these tainted versions to the Node Package Manager (NPM) registry. An NPM package is a reusable module for Node.js and JavaScript applications that simplifies installation, updates, and uninstallation. These versions were not in sync with any release on the XRP Ledger Foundation’s GitHub repository, which immediately aroused suspicions among security researchers.
Impact Evaluation
The bug revealed a critical vulnerability to any application or service utilizing the compromised versions of xrpl.js because it could lead to unauthorized access to users’ private keys and subsequent loss of funds. Notably, the XRP Ledger blockchain and official GitHub repository were not impacted.
Other XRP-related projects, such as Xamans Wallet, XRPScan, First Ledger, and Gen3 Games, announced that they were not impacted by the breach, either by publishing safe versions of the library or utilizing other infrastructure.
As a result of this, the XRP Ledger Foundation simultaneously deprecated all of the compromised versions of xrpl.js on NPM to avoid future downloads. The vulnerable versions of xrpl.js on NPM should be updated right away to prevent additional downloads. It released a patched version, v4.2.5, which eliminates the malicious code and restores secure functionality.
Developers and projects using the vulnerable versions of the xrpl.js library are advised to take immediate action to secure their systems and user funds. They are recommended to upgrade to the fixed release, xrpl.js v4.2.5, or downgrade to the stable and unaffected v2.14.3. Additionally, any exposed secrets or private keys are to be rotated right away. As an additional precaution, vulnerable master keys are to be deactivated and replaced with newly generated standard key pairs to ensure security and integrity.
With this in mind, XRP has broken through the key resistance level of $2.20, rising to $2.26 after a 7.71% increase in the last 24 hours. This price surge has been mirrored by an increase in trading, with daily volume increasing by 104.04% to $5.04 billion.
