The npm library xrpl.js, the official tool for interacting with the Ripple blockchain, has been hit by a serious supply-chain attack — attackers have implemented a backdoor into the code to steal private keys of crypto wallets.
Experts from Aikido Security have found that the xrpl.js npm package has integrated a malicious function checkValidityOfSeed, which forwarded user keys to an external domain. The attack affected versions 4.2.1 – 4.2.4 and 2.14.2. Only versions 4.2.5 and 2.14.3 are considered safe.
Presumably, the Ripple developer account under the name “mukulljangid” was hacked — it was from it that the infected updates were published. The attackers actively changed the backdoor in several releases, trying to avoid detection.
While Ripple’s GitHub repository remained untouched, the damage has already been done: the xrpl.js library has over 2.9 million downloads and is used weekly by over 135,000 developers worldwide. Ripple Labs launched the XRP Ledger in 2012. Since then, the xrpl.js library has become the de facto standard for working with the network, used by both large exchanges and independent DeFi developers.
Supply-chain attacks on npm packages are becoming increasingly common. They aim to undermine trust in the open-source ecosystem by exploiting weaknesses in developer accounts and the ability to quickly distribute malicious code to tens of thousands of applications.
This case is a reminder to developers and the crypto community about the vulnerability of the software supply chain. Project teams using xrpl.js should immediately upgrade to secure versions and thoroughly verify all instances of the library. In addition, it is necessary to implement multi-factor authentication for npm accounts and regularly review commit history.
88 
77 