A new version of the xrpl package, a JavaScript library for interacting with the XRP Ledger, appears to have been released with a security issue, according to a disclosure from the XRP Ledger Foundation on Tuesday. Charlie Eriksen, the Aikido Security malware researcher who identified the vulnerability, said it could lead to a “potentially catastrophic” supply chain attack on the system.
XRP Ledger engineers have seemingly addressed the concern by releasing updated versions of the code to “override the compromised packages and recommend that anyone using the impacted JavaScript libraries (v4.2.1-4.2.4 and v2.14.2) update immediately. The team also said it would release a post-mortem of the issue once it had a better understanding of how it was released.
"To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately," the foundation wrote in a separate post.
XRPL is a blockchain launched by Ripple Labs over a decade ago for cross-border payments and tokenization.
According to Eriksen, a backdoor was inserted into recently released versions of a software-development kit used to build applications and interact with the XRP Ledger. The issue could conceivably enable malicious attackers to steal users’ private keys and potentially gain unauthorized access to their wallets, though it’s unclear if anyone has been impacted.
"At 21 Apr, 20:53 GMT+0, our system, Aikido Intel started to alert us to five new package version of the xrpl package. It is the official SDK for the XRP Ledger, with more than 140.000 weekly downloads," Eriksen wrote. "This package is used by hundreds of thousands of applications and websites making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem."
He noted that the potential attack would be limited to third-party services that updated to the malicious versions within a short window. The backdoor also appears to be limited only to versions of the code on Node Package Manager (NPM), a GitHub-like tool used by developers to share reusable JavaScript packages for Node.js projects. Several projects related to XRP, including Xaman Wallet and XRPScan, noted that their services are likely secure.
"If you believe that you may have been impacted, it's important to assume that any seed or private key that was processed by the code has been compromised," Eriksen said. "Those keys should no longer be used, and any assets associated with them should be moved to another wallet/key immediately."
XRP, the native cryptocurrency of the network used to pay fees, is up 4% on Tuesday amid a broader market rally, according to The Block’s price page.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
