A supply chain attack compromised the official XRP Ledger JavaScript SDK, injecting a backdoor into specific versions of NPM. A backdoor in specific NPM versions targeted private key theft, putting connected XRP wallets at risk.
SlowMist issued a high-priority alert urging immediate updates and credential rotation.
How Malicious Code Hit NPM
The attack centered around the xrpl NPM package, used by developers to interact with the XRP Ledger blockchain. Between April 21 at 20:53 GMT+0 and April 22, malicious versions 4.2.1 through 4.2.4 and 2.14.2 were published to NPM under a legitimate package name.
However, an unauthorized user, “mukulljangid” made these versions. These versions included code that could steal private keys from crypto wallets.
Unlike standard updates, these releases were not mirrored on the official GitHub repository, prompting red flags within the security community. Aikido, a software supply chain monitoring platform, first identified the suspicious activity and published its findings on April 21.
How the Backdoor Worked
The backdoor operated by introducing a remote function that connected to a suspicious domain: 0x9c[.]xyz. Once active, it could extract sensitive data, including private keys, and send it externally. The code bypassed traditional security checks by hiding in trusted software libraries, exposing a wide range of applications and users to risk.
The affected versions had already been downloaded thousands of times before discovery. Given that the package sees over 140,000 downloads weekly, the breach could have impacted numerous crypto-focused applications.
Fix Issued, Urgent Actions Advised
The XRP Ledger development team responded by removing the malicious versions and publishing patched releases: 4.2.5 and 2.14.3.
Aikido urged developers to take immediate action to protect their systems and user data. First, they should upgrade to the patched versions of the XRP Ledger package, which have removed the malicious code.
It is critical to avoid installing or using any compromised versions as they contain backdoors capable of stealing sensitive information.
In addition, developers should rotate any private keys or secrets that may have been exposed during the period these versions were in use. Lastly, systems should be carefully monitored for any suspicious outbound traffic, especially connections to the domain 0x9c[.]xyz, which has been linked to the malicious activity.
SlowMist emphasized that developers using earlier versions (pre-4.2.1 or pre-2.14.2) should not upgrade directly to the infected releases. Instead, they should skip straight to the clean versions.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
