Rear door could steal private keys from Wallets

Aikido Security, a cybersecurity firm that investigates code vulnerabilities in cryptocurrency networks, announced on April 21 that XRPL contains a rear door that sends private keys to virtual attackers. Vulnerability would be found specifically in the XRPL package called NPM, a library for application developers.

The NPM XRPL package is a JavaScript/TypeScript library designed to interact with the XRP Ledger network (XRPL). According to the website of this developer library, NPM is the “recommended option” to integrate applications with XRPL, especially solutions such as payment routes, decentralized exchanges, account settings and multiple signatures, among others.

At present, NPM is used to execute such diverse functions in the XRPL as: Key administration, funds and creation of test credentials, sending transactions to XRP accounting, among others.

Consequently, the vulnerability discovered by Aikido Security could be extended along many XRPL applicationswhich represents a systemic risk.

The above is especially true because, according to the security firm, NPM is “the SDK (software development kit) for XRP Ledger, with more than 140,000 weekly discharges.” This weekly discharge figure is confirmed by the NMP website itself.

On April 21 at 20:53 GMT, our system, Aikido Intel, alerted us to five new versions of the XRPL package. This is the official SDK of the XRP Ledger, with more than 140,000 weekly discharges. We quickly confirm that the official XPRL (Ripple) NPM package was compromised by sophisticated attackers who installed a back door to steal private cryptocurrency keys and get access to cryptocurrency wallets. This package is used by hundreds of thousands of applications and websites, which makes it a potentially catastrophic attack to the cryptocurrency ecosystem supply chain.

Aikido Security, a cybersecurity firm.

Aikido Security indicates that affected NPM versions range from 4.2.1 to 4.2.4, and recommends not updating the development package if you use an earlier version of the library.

According to the firm, a user called “Mukulljangid” has published five new versions of the NPM Library, but these versions do not match the official releases shown in the Github repository, where the latest version is 4.2.0. For Aikido, “the fact that these packages appeared without a corresponding version in Github is very suspicious.”

Likewise, this security firm detected in the new packages, through its code monitoring solution with the so -called Intel Aikido, “strange” programming lines. Specifically, the options checkvalidityofseed and 0x9c domain[.]XYZ.

Everything seems normal until the end. What is this function Checkvalidityofseed? And why calls a random domain called 0x9c[.]xyz? Let’s go to the point!

Aikido Security, a cybersecurity firm.

The mentioned domain is suspiciously recent, according to Aikido, which additionally discovered that a code function that is written as “public builder (“ and would be stealing keys of private wallets In XRPL.

A subsequent aikido investigation into the user who is apparently updating the library revealed the following: “The packages were implemented by the Mukulljangid user. If we look for that username name on Google, we obtain a LinkedIn profile of who seems to be a legitimate employee of Ripple since July 2021. Therefore, this suggests that this developer was robbed Publish these new malicious packages. ”

The credentials of internal employees of organizations and companies They are a classic attack vector for computer hackers.

As Cryptonotics reported, a report released by the Bybit CEO pointed out that the Norcorea Lazarus group could have accessed the AWS S3 account, an AWS service (Amazon Web Services), using the credentials of an employee involved. This hacking left Exchange losses for up to 1.5 billion dollars.