The XRP Ledger Foundation has recently issued a warning regarding a security vulnerability detected in the official JavaScript SDK, which is used for interacting with the XRPL. This vulnerability was uncovered by Aikido Security on April 21, revealing that certain versions of its Node Package Manager (NPM) software had been compromised. These versions were found to contain a backdoor that posed a risk of private keys being stolen from users.
### Critical Vulnerability Detected in SDK
On April 22, the Foundation made an official statement acknowledging the vulnerability, identified by a security researcher from Aikido Security in the xrpl npm package versions between 4.2.1-4.2.4 and 2.14.2. In light of this breach, XRPL Labs founder and CEO Wietse Wind clarified that Xaman Wallet users were safe from this specific flaw. The wallet’s architecture, which does not incorporate xrpl.js, instead utilizes xrpl-client and xrpl-accountlib libraries, effectively separates wallet connectivity from the signing process, safeguarding it against such vulnerabilities.
Wind also shared details on how the breach occurred, explaining that the xrpl.js package contained malicious code which relayed generated or imported private keys to an attacker-controlled external server. This breach potentially allowed hackers to intercept key pairs, await account funding, and subsequently, misappropriate the funds.
He emphasized the importance of vigilance for developers using third-party libraries, advising immediate measures such as limiting publishing access, pre-release code scanning, avoiding auto-publishing setups, and secure private key management.
### Swift Action to Mitigate Risk
In response to the incident, the XRP Ledger Foundation swiftly introduced a clean version of the NPM package, purging the malicious code to reaffirm the SDK’s safety for developer use. They acted following Aikido Security’s discovery, which came via their automated threat detection system that flagged suspicious updates published under the username “mukulljangid” on NPM.
These updates, which included unauthorized new versions, were found to contain a malicious function named checkValidityOfSeed. This function was engineered to transmit private keys to a hacker’s server, posing a significant threat to users’ assets.
This security incident unfolds in the wake of Ripple’s announcement of acquiring prime brokerage firm Hidden Road for $1.25 billion. This acquisition is seen as a strategic move, positioning XRPL as a key channel for institutional funds, with Ripple CEO Brad Garlinghouse hinting at its potential role in post-trade settlements, possibly elevating it to a corporate-scale clearing and credit platform.
For more insights and updates, follow us on Twitter.
“🛡️ #XRPCommunity, take note! The XRP Ledger Foundation has addressed a crucial SDK security flaw. Prompt action has mitigated risks, ensuring #XRPL’s safety for developers. Stay vigilant and updated on software security! #BlockchainSecurity”
