- XRP Ledger – A flaw in the xrpl.js SDK (versions 4.2.1–4.2.4) exposed users to the risk of private key theft and unauthorized access to their wallets.
- Aikido detected the breach on April 21 and acted quickly, preventing widespread damage from the exploit.
- The XRPL Foundation swiftly removed the compromised versions and released a patch (v4.2.5) to secure the ecosystem.
Crypto security firm Aikido has sounded the alarm on what could have been one of the most severe supply chain attacks to ever hit the XRP Ledger (XRPL) ecosystem.
Aikido, a software security company focused on developer tools, revealed a major exploit in the `xrpl.js` software development kit (SDK) the backbone of many apps built on the XRP Ledger.
The vulnerability, which existed in versions 4.2.1 through 4.2.4, enabled malicious actors to steal private keys, potentially giving them unauthorized access to user wallets and crypto funds.
According to Aikido, the threat was first flagged on April 21 at 20:53 GMT, when their monitoring tool, Aikido Intel, detected five new suspicious packages published under the XRPL SDK. A deeper analysis confirmed their worst fears: the official XRPL package had been compromised with a stealthy backdoor.
“We quickly confirmed the official XRPL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets,” Aikido said in a statement.
XRP Ledger Foundation Responds to SDK Breach
With over 140,000 weekly downloads and integration across thousands of decentralized apps, wallets, and crypto tools, the SDK’s compromise could have had catastrophic consequences across the XRP ecosystem and beyond.
The attackers attempted to obfuscate their trail by publishing multiple compromised versions, a classic tactic in software supply chain attacks designed to avoid early detection. Fortunately, Aikido’s real-time surveillance of public repositories like NPM helped intercept the exploit before it could cause widespread damage.
In response, the XRPL Foundation the nonprofit steward of the XRP Ledger moved quickly. It confirmed the breach, deprecated the malicious versions on NPM, and released a patched version, v4.2.5, to replace the compromised packages.
“This vulnerability is in `xrpl.js`, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or the GitHub repository itself,” the Foundation clarified on social platform X.
Developers have been strongly urged to upgrade to v4.2.5 immediately or revert to the long-standing secure version v2.14.3. Any continued use of versions 4.2.1–4.2.4 may leave applications dangerously exposed.
No Major Breaches as XRPL Projects Confirm Security
So far, no major breaches have been reported. Several high-profile XRPL-based projects have stepped forward to reassure users of their security. Xaman Wallet confirmed that it uses custom infrastructure and private key handling, ensuring it is not impacted. XRPScan stated that it relies on a much older, unaffected version of the SDK. Additionally, Bifrost Wallet, OpulenceX, RibbleXRP, and Gen3 Games have all verified that they remain unaffected by the compromised code.
This incident is just the latest in a series of increasingly sophisticated attacks targeting the crypto development supply chain. In March, Coinbase was hit with a GitHub Actions exploit attempt, which was fortunately thwarted. Even earlier, the infamous Lazarus Group from North Korea was caught targeting developers via malicious NPM packages.
While attribution in the XRPL case remains unclear, the similarities to past attacks have raised questions about whether the same state-linked threat actors are broadening their reach.
Related | BNB Mirrors 2022 Pattern, Breakout Above $630 Could Ignite Rally to $740