The XRP Ledger Foundation issued a warning to developers and projects that are utilizing the xrpl JavaScript library.
A severe vulnerability has been found in a series of popular versions of the library distributed by Node Package Manager (NPM). However, the vulnerable versions range from v4.2.1 to v4.2.4 and also v2.14.2. A patch version, v4.2.5, is now accessible.
The vulnerability was found by security researcher Charlie Eriksen at Aikido Security. He found a backdoor that could reveal users’ secret keys.
The flaw has the potential to be a catastrophic supply chain attack if not remedied. The Foundation stressed that the flaw does not affect the underlying XRP Ledger codebase or GitHub repository. It only targets the JavaScript SDK.
On April 21, Eriksen’s Aikido monitoring tool picked up suspicious traffic related to the hacked package. In a matter of a few hours, there were five versions with backdoor code hidden within them uploaded to NPM.
The package sees more than 140,000 weekly downloads and underpins several hundred applications and platforms within the field of cryptocurrency.
“The risk level is very high,” Eriksen cautioned. “All users who have executed code from the hacked versions are assumed to have had their private keys stolen.” We encourage users to transfer their assets to new wallets with new keys.
XRP Ledger urges immediate SDK update
However, Xaman Wallet and XRPScan indicated no compromise was found. XRP Ledger Foundation highlighted the necessity of ensuring SDK versions.
Developers are responsible for making sure that they are working with a verified version of the SDK within their projects.
This measure assists in preserving the security and integrity of the XRP Ledger network. However, the group issued version 4.2.5 to remediate the issue and is in the process of preparing a detailed post-mortem.
The incident has evoked concerns over the integrity of open-source dependencies. As developers widely use NPM to obtain JavaScript packages, a single hacked update will have a potential influence over thousands of projects.
The case also reflects the increasing threat of supply chain attacks within the cryptocurrency market. Eriksen and the foundation responded swiftly, which could have averted more severe effects. The full extent of the damage is still unknown.
Nonetheless, the XRP Ledger Foundation urges everyone to update to v4.2.5 without delay. Projects still running affected versions should treat keys processed by that code as exposed.
