Ethical Hacking News
A major software supply chain attack has compromised Ripple's popular JavaScript API for interacting with the XRP Ledger blockchain, xrpl.js. The malicious activity, discovered on April 21, 2025, affected five different versions of the package and is believed to have been carried out by threat actors who managed to steal a developer's npm access token. Users relying on the xrpl.js library are advised to update their instances to the latest version (4.2.5 and 2.14.3) to mitigate potential threats.
Ripple's xrpl.js library has been compromised by unknown threat actors as part of a major software supply chain attack. The malicious activity affects five different versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. The issue was discovered on April 21, 2025, when a user introduced a new function that transmitted stolen information to an external domain. The malicious code changes were introduced by a user who likely belongs to a Ripple employee, indicating their npm account was hacked. Users relying on the xrpl.js library are advised to update their instances to the latest version (4.2.5 and 2.14.3) to mitigate potential threats.
Ripple's popular JavaScript API for interacting with the XRP Ledger blockchain, xrpl.js, has been compromised by unknown threat actors as part of a major software supply chain attack. The malicious activity has been found to affect five different versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2.
The issue was discovered on April 21, 2025, when a user named "mukulljangid" introduced a new function named checkValidityOfSeed that's engineered to transmit the stolen information to an external domain ("0x9c[.]xyz"). This function is designed to harvest and exfiltrate users' private keys. The malicious code changes have been found to be introduced by a user who likely belongs to a Ripple employee, indicating that their npm account was hacked to pull off the supply chain attack.
According to Aikido Security's Charlie Eriksen, "The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets." The malicious activity is believed to have been carried out by threat actors who managed to steal the developer's npm access token to tamper with the library.
It's worth noting that the attacker tried different ways to sneak in the backdoor while trying to evade detection, as evidenced by the different versions released in a short span of time. There is no evidence that the associated GitHub repository has been backdoored.
In light of the incident, users relying on the xrpl.js library are advised to update their instances to the latest version (4.2.5 and 2.14.3) to mitigate potential threats. The XRP Ledger Foundation stated in a post on X that "This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger... It does not affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately."
The compromise of xrpl.js highlights the importance of regular security audits and updates in preventing software supply chain attacks. The incident also emphasizes the need for developers to be vigilant when managing their npm accounts and dependencies.
In addition to the xrpl.js compromise, other recent incidents highlighted the growing threat landscape, including a Chrome 0-Day exploit, an IngressNightmare vulnerability, Solar Bugs, DNS Tactics, VPN Exploits, Oracle's Silent Breach, ClickFix Surge, and more. These incidents underscore the need for organizations to prioritize security and invest in robust cybersecurity measures to protect their systems from emerging threats.
The Ripple incident also raises questions about the role of software supply chain attacks in the broader landscape of cyber threats. As the use of AI and machine learning becomes more prevalent, it's essential to understand how these technologies can be used to launch attacks and stay one step ahead of adversaries.
In conclusion, the compromise of xrpl.js serves as a stark reminder of the importance of cybersecurity awareness, regular updates, and robust security measures in preventing software supply chain attacks. As the threat landscape continues to evolve, it's essential for organizations to remain vigilant and proactive in protecting their systems from emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Ripples-xrpljs-NPM-Package-Compromised-in-Major-Supply-Chain-Attack-ehn.shtml
https://thehackernews.com/2025/04/ripples-xrpljs-npm-package-backdoored.html
Published: Wed Apr 23 03:30:47 2025 by llama3.2 3B Q4_K_M
