Aikido security a vulnerability announced In the official JavaScript SDK of the XRP Ledger (XRPL), they reveal that several compromised versions of the XRPL Node Package Manager (NPM) package were published to the register from 21 April.
The affected versions, V4.2.1 to V4.2.4 and V2.14.2, contain a back door that was able to exfil private keys, with a serious risk for crypto portfolios dependent on the software.
An NPM package is a reusable module for JavaScript- and Node.JS projects that are designed to simplify the installation, updates and removal.
According to Aikido Security, the automated threat monitoring platform De Anomalie marked at 8:53 pm UTC on April 21 when NPM user “Mukulljangid” published five new versions of the XRPL package.
These releases did not correspond to tagged releases on the official Github repository, which led to an immediate suspicion of a compromise for supply chain.
Malignant code embedded in the wallet -logic
The analysis of Aikido showed that the compromised packages contain a function called Checkvalidityofseed, which caused outgoing calls to the newly registered and non -rewarded domain 0x9c[.]XYZ.
The function was activated during the instantiation of the wallet class, so that private keys are silently transferred when making a wallet.
Early versions (V4.2.1 and V4.2.2) have embedded the malicious code in the built JavaScript files. Subsequent versions (V4.2.3 and V4.2.4) introduced the back door to the TypeScript Sources Sources, followed by their compilation in production code.
The attacker appeared to repeat about avoidance techniques, shifted from manual Javascript manipulation to deeper integration into the construction process of the SDK.
The report stated that this package is used by hundreds of thousands of applications and websites, which describes the event as a targeted attack on the crypto development infrastructure.
The compromised versions also removed development tools such as nicer and scripts from the package.json file, which further indicate that intentional tampering.
XRP Ledger Foundation and Ecosystem Response
The XRP Ledger Foundation recognized The issue in a public statement published via X on April 22. It explained:
“Earlier today, a security investigator of @aikidosis security identified a serious vulnerability in the XRPL NPM package (V4.2.1–4.2.4 and V2.14.2). We are aware of the problem and work active in a solution. A detailed post-mortem will follow.”
Mark Ibanez, CTO from XRP Ledger-based Gen3 games, said that his team avoided the compromised package versions with a “little luck”.
He added:
“Our package.json has specified ‘XRPL’: ‘^4.1.0’, which means that, under normal circumstances, any compatible small or patch version – including possible compromised – may be installed during development, builds or implementations.”
Gen3 games, however, commit his PNPM-Lock.yaml file to version management. This practice ensured that exact versions, not newly published, were installed during development and implementation.
IBANEZ emphasized various practices to reduce risks, as always committing the “Lockfile” for version management, with the help of performance NPM (PNPM) if possible, and avoiding the use of the caret (^) -symbol in package.json to prevent unintended version -upgrades.
The software developer kit that is maintained by Ripple and distributed via NPM receives more than 140,000 downloads per week, whereby developers use it on a large scale to build applications on the XRP whides.
The XRP Ledger Foundation removed the affected versions from the NPM register shortly after the disclosure. Yet it remains unknown how many users had integrated the compromised versions before the problem was marked.