Ethical Hacking News
Ripple's recommended XRP library xrpl.js was hacked and compromised, allowing malicious actors to steal wallet seeds and private keys. This devastating attack on cryptocurrency security highlights the need for stringent cybersecurity measures in software development.
The xrpl.js library has been hacked and compromised, allowing malicious actors to steal wallet seeds and private keys. The compromised versions of the xrpl NPM package were published on the npm registry between April 21, 2025, at 4:46 PM ET and 5:49 PM ET. The attack was facilitated by a suspicious method named "checkValidityOfSeed" in the affected versions of the library. A total of 452 downloads were recorded for the affected versions of the xrpl.js packages between April 21, 2025, at 4:46 PM ET and 5:49 PM ET. The malicious code appears to have been added by a developer account associated with the Ripple organization, likely through compromised credentials, suggesting an insider threat.
Ripple's recommended XRP library, xrpl.js, has been hacked and compromised, allowing malicious actors to steal wallet seeds and private keys, thereby compromising the security of numerous cryptocurrency holders. In a shocking revelation, Lawrence Abrams, owner and Editor-in-Chief of BleepingComputer.com, disclosed that the compromised versions of the xrpl NPM package were published on the npm registry between 4:46 PM and 5:49 PM ET on April 21, 2025. These maliciously altered packages have since been removed and a clean 4.2.5 release is now available for users to upgrade to immediately.
The xrpl.js library, maintained by the XRP Ledger Foundation (XRPLF), serves as Ripple's recommended library for interacting with the XRP blockchain via JavaScript. With its widespread adoption, over 140,000 downloads have been recorded in just one week alone. This compromised library has enabled threat actors to steal sensitive data, including wallet seeds and private keys, using a suspicious method named "checkValidityOfSeed" appended to the end of the "/src/index.ts" file in the affected versions.
Upon further investigation by developer security company Aikido, it was discovered that this function is called in various functions across the compromised libraries, thereby facilitating the theft of XRP wallet seeds and private keys. These stolen data can be used to import a stolen XRP wallet on the attacker's own device and drain any funds stored within it.
In order to better understand the scope of the attack, BleepingComputer provided details about the downloads of the compromised xrpl.js packages. Between 4:46 PM and 5:49 PM ET on April 21, 2025, a total of 452 downloads were recorded for the affected versions, including 57 downloads of version 2.14.2, 106 downloads of version 4.2.2, 69 downloads of version 4.2.3, and 179 downloads of version 4.2.4.
Despite the substantial number of downloads for these compromised packages, it is essential to note that the actual impact may have been larger due to widespread adoption by numerous users. The malicious code appears to have been added by a developer account associated with the Ripple organization, likely through compromised credentials, suggesting an insider threat.
In light of this devastating attack on cryptocurrency security, it is crucial for users to take immediate action and rotate any private keys or secrets used in affected systems. Additionally, if any account's master key is potentially compromised, users should disable it to avoid further risks. The XRP Ledger supports key rotation, which can be done using the provided tutorials at https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/assign-a-regular-key-pair.
In conclusion, this incident highlights the dangers of supply chain attacks and underscores the need for stringent cybersecurity measures in software development. As seen previously with previous compromises of Ethereum and Solana NPMs used to steal wallet seeds and private keys, it is essential for users to stay vigilant and maintain up-to-date security protocols in order to safeguard their cryptocurrency assets.
Related Information:
https://www.ethicalhackingnews.com/articles/Ripples-Recommended-XRP-Library-xrpljs-Hacked-to-Steal-Wallets-A-Devastating-Attack-on-Cryptocurrency-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/ripples-recommended-xrp-library-xrpljs-hacked-to-steal-wallets/
Published: Tue Apr 22 12:42:16 2025 by llama3.2 3B Q4_K_M
