- Backdoor in XRPL.js NPM packages exposed private keys in versions 4.2.1 to 4.2.4
- Only the NPM distribution was compromised, GitHub repository remains unaffected
- Version 4.2.5 released quickly to patch vulnerability and secure developer environments
A critical security breach has rattled the XRP development community following discovery of a backdoor in XRPL.js package versions 4.2.1 through 4.2.4 on NPM. The malicious code, present in versions 4.2.1 through 4.2.4, was capable of stealing users’ private keys and transmitting them to attackers.
This prompted Ripple’s Chief Technology Officer, David Schwartz, to issue a public warning. Developers using these compromised versions are strongly advised to treat any exposed credentials as compromised.
Breach Limited to NPM; Core Ledger Safe
The breach, first reported by Aikido Security, revealed the NPM distribution of XRPL.js was altered with key-stealing code; the GitHub repository was not affected. This suggests only the NPM channel was compromised.
Related: Ripple’s RLUSD Stablecoin Goes Live for Lending, Borrowing on Aave V3
Consequently, developers using trusted sources like GitHub remain unaffected. RippleX’s senior engineer Mayukha Vadari confirmed the core XRP Ledger is still safe and operating normally.
Rapid Fix Issued, Ecosystem Responds
In less than 24 hours, the malicious versions were removed from NPM. A secure version, 4.2.5, has now been published as a fix. Additionally, users operating on the 2.x branch can safely use version 2.14.3. The quick action by the XRP Ledger Foundation and the broader Ripple development team helped contain what could have been a widespread threat.
Related: Ripple’s Public Listing Dreams Hinge on One Judge’s Sales Decision
The exploit raised concerns across the blockchain dev community, particularly services integrating XRPL.js. Wallet providers Xaman, First Ledger, and Gen3Games announced they were not compromised. The XRP Ledger Foundation also removed the malicious packages.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
