The Popular xrpl.js Ripple Cryptocurrency Library Compromised in Supply Chain Attack

The widely-used xrpl.js Ripple cryptocurrency library has fallen victim to a sophisticated supply chain attack, leaving hundreds of thousands of applications and websites vulnerable to stealing users' private keys. The malicious code was inserted into the official npm package, which has been downloaded over 2.9 million times to date.

Aikido Intel, a cybersecurity firm, detected the compromise on April 21st at 20:53 GMT+0. Their system alerted them to five new package versions of xrpl that contained malicious code, including backdoors designed to steal cryptocurrency private keys and gain access to wallets. The researchers investigated further and discovered that user 'mukulljangid' released all five malware-laced versions of the library starting from 21 April, 20:53 GMT+0.

The attackers used a function named checkValidityOfSeed in the code to exfiltrate stolen information to the domain "0x9c[.]xyz". It is unclear who is behind the attack, but experts point out that multiple version bumps occurred as attackers refined their methods. Version 4.2.1 removed key configs; 4.2.2 introduced malicious JavaScript. Later versions (4.2.3, 4.2.4) added backdoors in TypeScript, showcasing the attacker's evolving tactics to avoid detection and moving from manual code insertion to compiled backdoors.

The problem has been fixed in versions 4.2.5 and 2.14.3. Users of the xrpl.js library are urged to update to these versions to mitigate risks from the recent supply chain attack. The company provided indicators of compromise to check whether users' systems may have been affected by the malicious versions of the library.

Impact on the Cryptocurrency Community

The xrpl.js library is widely used for integrating JavaScript/TypeScript apps with the XRP Ledger, making it a crucial component in many cryptocurrency-related projects. With over 140,000 weekly downloads, its impact on the cryptocurrency community cannot be overstated. The compromise highlights the need for rigorous security measures and monitoring of open-source packages to prevent such attacks.

Prevention and Mitigation Measures

To avoid falling victim to this attack, users are advised to update their xrpl.js library to versions 4.2.5 or 2.14.3 immediately. This will ensure that the malicious code is removed and the risk of data theft is minimized.

Additionally, users can check for indicators of compromise provided by the company to determine if their systems have been affected by the malicious versions of the library. It is essential to stay vigilant and proactive in protecting against such attacks, especially when dealing with open-source packages that are widely used across various applications and websites.

Conclusion

The recent supply chain attack on the xrpl.js Ripple cryptocurrency library serves as a stark reminder of the importance of cybersecurity in the digital age. As the use of open-source packages continues to rise, it is crucial for developers and users alike to remain vigilant and take proactive measures to protect themselves against such attacks.