XRP Ledger Foundation confirms SDK breach and issues urgent fix

Software security firm Aikodo has alerted XRP Ledger developers to a vulnerability in the XRPL software development kit (SDK) that allows hackers to steal private keys. The developer-focused firm said the vulnerability was in XRPL versions 4.2.1 – 4.2.4.

According to the firm, it first identified the vulnerability on April 21, 20:53 GMT+0, after it got an alert of five new packages added to the XRPL package. A closer examination showed that bad actors had compromised the package by adding a backdoor to steal private keys.

It said:

“We quickly confirmed the official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets.”

Given that the package has an average of 140,000 weekly downloads and thousands of websites and applications use it, the incident could have been a disastrous supply chain attack for the crypto industry.

Per the report, the hacker used several versions of the package in an attempt to hide their trail and make sure the vulnerability was not visible. However, Aikido was able to identify it due to its Aikido Intel tool that monitors public package managers such as NPM and identifies any malicious code changes.

XRPL Foundation acknowledges compromise

Meanwhile, the XRPL Foundation, the non-profit behind the XRPL network, has acknowledged the incident and deployed a fix to the vulnerability. The foundation said on X that it has now published a version 4.2.5 of the XRPL package as a replacement for the compromised versions.

Developers who have the compromised versions have been advised to replace them immediately. The foundation also deprecated all the compromised versions on NPM so that no one can download them.

It also advised that developers should be using the latest v4.2.5 or the much older v2.14.3, which was not compromised and added that that the issue does not affect the XRPL codebase or its GitHub repository.

The foundation said:

“This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.”

So far, several protocols on the network have confirmed that the vulnerability did affect them. Xaman Wallet noted that it uses in-house infrastructure and libraries to handle transactions and private keys, while XRPScan said it uses an older version of the xrpl.js and does not process private keys.

Others, such as Bitfrost wallet, DeFi protocol OpulenceX, memecoin RibbleXRP, and Web3 gaming platform Gen3 Games have also confirmed they are unaffected.

Crypto-related supply chain attacks becoming prevalent

The XRPL supply chain attack is the latest incident of bad actors targeting software packages to exploit crypto-related projects.

Back in March, hackers targeted Coinbase in a GitHub Actions supply chain attack by trying to break the exchange’s open-source AgentKit. However, they failed at it, and Coinbase foiled the attempt, deciding to attack several repositories instead.

Before that, cybersecurity experts have discovered that the notorious North Korean hacker group, Lazarus, is targeting crypto developers using NPM repositories and creating backdoors in projects. It is unclear whether they are involved in the

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now