2 weeks Ago
A security vulnerability shook the XRP Ledger developer community when a bug was found in multiple releases of the xrpl.js library uploaded to NPM. It was initially brought up by blockchain security company Aikido Security that reported the presence of a backdoor exfiltrating private keys to the attacker.
As per the company, versions 4.2.1 to 4.
2.4 of the JavaScript package were impacted, and immediate calls were raised to roll back or upgrade to secure versions. Validator and Experts Raise Alarm Vet, a validator known on the XRPL network, seconded the warnings and released a stern caution on X, formerly known as Twitter.
“XRP Ledger devs and projects – if you use xrpl js library, don’t update or use ANY version 4.2.1 or higher.
” “It’s compromised – any project utilizing the newest version of xrpl js is putting users and funds at risk,” Vet said, calling on teams to notify others in the ecosystem. 🚨!!️XRP Ledger Devs and Projects - if you use xrpl js library don't update or use ANY version 4.2.
1 or higher. It's compromised - any project utilizing the newest version of xrpl js is putting users and funds at risk! Please let EVERY project and developer know about this! https://t.co/8VwwwQVlCT pic.
twitter.com/gJ5In9weu5 Thomas Silkjaer, inFTF Head of Analytics and Compliance, also posted the warning and highlighted that any project utilizing these versions risks breaching all user accounts associated with the library. Ripple CTO Affirms Extent of the Breach Ripple CTO David Shwartz reported that the attack was contained only in the NPM package and did not happen to the XRP Ledger core or GitHub repositories.
Ripple software engineer Muyukha Vadari explained that malicious versions were pushed only recently, but GitHub is still secure. Vadari requested users to avoid third-party services that manage sensitive credentials until they verify their environment is secure. Foundation Moves with Patch and Guidelines The XRP Ledger Foundation moved quickly to address the developing crisis.
In a public announcement, the foundation stated that the vulnerability is only present in the xrpl.js NPM package and not in the general XRPL infrastructure. The Foundation called on all projects that utilize the library to update at once to version 4.
2.5 or roll back to the older version 2.14.
3, both of which are known to be secure. Also, the compromised versions have fallen back on NPM, and a fresh patch for 2.14.
x branch was published to remove the affected version. There is an impending post-mortem report from the Foundation shortly to give a complete analysis of how the compromise happened and what lessons can be learned. Not All Services Affected Denis Angell of XRPL Labs has assured that the stable release is still version 4.
2.0, which is unaffected. In addition, Xaman Wallet, managed by XRPL Labs, also assured users that it is unaffected by the breach, citing that it uses proprietary infrastructure and does not use third-party libraries like xrpl.
js. The Golden Rule: Trust, but Verify This even highlights the vulnerability of open-source package management and the importance of vigilance among the developer community. While developers scramble to lock down their applications and user funds, the wider lesson is obvious: trust, but verify, particularly when dealing with sensitive blockchain actions.
.
