The recent security breach compromising the official XRP Ledger JavaScript SDK underscores the evolving threats in the digital age. This supply chain attack injected a backdoor into specific versions of NPM, targeting private key theft and placing connected XRP wallets in peril.
The security breach was focused on the xrpl NPM package, a tool used by developers to interact with the XRP Ledger blockchain. During April 21 at 20:53 GMT+0 and April 22, unauthorized versions 4.2.1 through 4.2.4 and 2.14.2 were published to NPM under a legitimate package name. The culprit behind these unauthorized versions was an illicit user, “mukulljangid.” The versions he published contained code capable of stealing private keys from cryptocurrency wallets.
These releases did not mirror the official GitHub repository, raising suspicion within the security community. Aikido, a software supply chain monitoring platform, was first to identify this suspicious activity and published its findings on April 21.
The backdoor worked by introducing a remote function that connected to the suspicious domain: 0x9c[.]xyz. Once activated, it could extract sensitive data, including private keys, and send it externally. By hiding in trusted software libraries, the code bypassed traditional security checks, thereby exposing a wide range of applications and users to risk.
These infected versions had been downloaded thousands of times before the discovery of the threat. Given the package’s weekly download rate exceeds 140,000, the breach had the potential to impact an extensive range of crypto-focused applications.
In response to this, the XRP Ledger development team removed the malicious versions and published patched releases: 4.2.5 and 2.14.3. Aikido has urged developers to take immediate action to protect their systems and user data.
Firstly, developers must upgrade to the newly patched versions of the XRP Ledger package, which have the malicious code removed. Under no circumstances should there be installation or usage of any compromised versions as they contain backdoors capable of stealing sensitive information.
Furthermore, developers should rotate any private keys or secrets that may have been exposed during the time these versions were in use. Lastly, it is essential to monitor systems for any suspicious outbound traffic, especially connections to the domain 0x9c[.]xyz, which has been associated with the malicious activity.
SlowMist, the security provider, emphasized that developers using earlier versions (pre-4.2.1 or pre-2.14.2) should avoid direct upgrades to the infected releases. Instead, they should transition directly to the clean versions.
In conclusion, this incident highlights the importance of continuous monitoring of software supply chains and proactive management of security protocols in the digital era.
