A critical security incident has compromised a widely-used software library in the Ripple XRP ecosystem, putting thousands of crypto wallets at risk.
Malicious Code Detected in xrpl.js Package
The breach affected xrpl.js, Ripple’s recommended JavaScript library for interacting with the XRP Ledger, after a hacker inserted malicious code designed to steal private wallet credentials.
The vulnerability came to light on Monday evening, when security researchers at Aikido, a crypto-focused cybersecurity firm, discovered unauthorized code within the official Node Package Manager (NPM) distribution of xrpl.js. The backdoor was detected in multiple versions of the library published to the NPM registry between 4:46 PM and 5:49 PM Eastern Time.
According to Aikido’s Charlie Eriksen, who identified the exploit, the malicious update posed a potentially catastrophic risk to the cryptocurrency supply chain. The compromised package was capable of stealing wallet seeds and private keys, transmitting them to an attacker-controlled server. This gave threat actors the ability to gain control over affected wallets and drain their assets.
Scope and Immediate Impact
While the vulnerability threatened a vast number of projects reliant on xrpl.js, Eriksen clarified that the threat was contained to services that downloaded and integrated the tainted versions during a brief window on Monday. Applications and services that did not update their dependencies within this period are reportedly unaffected.
Notably, major XRP projects including Xaman Wallet and XRPScan confirmed they remain secure. Nevertheless, security experts urged users and developers to exercise caution.
Eriksen advised,
“If you believe you may have interacted with the compromised code, assume your wallet keys are exposed. Affected keys should be retired, and assets moved to new wallets immediately.”
Ripple Responds and Mitigates Risk
Engineers at the XRP Ledger Foundation acted swiftly to mitigate the breach. Updated, secure versions of the xrpl.js library were released shortly after the attack was identified, overriding the malicious packages on NPM. The development team has recommended that all users and projects update to the latest safe version without delay.
The XRP Ledger Foundation also stated it would publish a detailed post-mortem once a comprehensive internal review is completed. In the interim, developers relying on xrpl.js have been strongly advised to audit their projects for any exposure to the affected versions.
Widespread Adoption Heightens Risk
Given that xrpl.js is the XRP Ledger Foundation’s official library for JavaScript-based blockchain interactions, enabling tasks like wallet operations and token transfers, its popularity made the breach particularly alarming. The library recorded over 140,000 downloads in the past week alone, underscoring the potential reach of the attack had it remained undetected.
This incident highlights the growing risks posed by supply chain attacks within the cryptocurrency industry, where widely-used open-source dependencies can become vectors for significant financial harm.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.