XRP Ledger Foundation warns critical vulnerability in one of the Javascript repositories

The reports indicate that the XRPL.J repository presented a critical vulnerability, which introduced a malicious backdoor that would allow attackers to access private keys and third -party wallets.

***

• The XRP Ledger Foundation confirmed that several versions of the package xrpl.js They were committed.
  
• Charlie Eriksen, from Aikido Security, He warned about the possibility of a supply chain attack.
  
• Users must immediately update the safe version V4.2.5 to avoid risks.

The development community on the XRP Ledger Face a serious security alert. An independent researcher discovered a critical vulnerability in several recent versions of the XRPL.JS package, a popular library JavaScript used to interact with the network XRP Ledger. The incident has turned on the alarms in the ecosystem, given its potential gravity as a supply chain attack.

Recent reports indicate that vulnerability was detected by Charlie Eriksen, malware researcher at Aikido Security. As explained, its automatic monitoring system, Intel aikido, identified five new versions of the package “XRPL” They included a malicious backdoor. These types of insertions can allow attackers to access private keys and control third -party wallets without authorization.

“This package is the official SDK of the XRP Ledger and has more than 140,000 weekly discharges”Eriksen warned. “The scale of use makes it a potentially catastrophic attack vector for the crypto ecosystem.”

What is known until now?

Vulnerability affects only the package xrpl.js In specific versions: V4.2.1 A V4.2.4 and V2.14.2. Does not impact the source code of the XRP Ledger nor to his repository in Github, As clarified by XRP Ledger Foundation.

The organization launched a statement in which strongly recommended all developers who use xrpl.js Update to the safe version V4.2.5 immediately. Likewise, he promised to publish a complete report of the incident once more clarity is made about how vulnerability was introduced.

The threat seems to be restricted to those who updated the package during a specific time window in which the compromised versions were available in the package registry Node Package Manager (NPM). NPM It is a widely used platform to share reusable packages in JavaScript projects.

Impact on applications and projects

The affected library is used by hundreds of thousands of applications, including wallet services, block explorers and payment platforms that operate on the network XRP Ledger.

However, several relevant projects have already confirmed that their systems were not compromised. Among them are Xaman Wallet and Xrpscanwho declared that they do not automatically update their dependencies and that their current versions are safe.

Despite these guarantees, the researcher warns those who could have used the committed versions that assume the worst.

“If you think it could have been affected, you must assume that any private or seed processed by that code has been compromised.”Said Eriksen. “These keys should not be used anymore and associated assets must be transferred immediately to a new portfolio.”

XRP Ledger It is a network Blockchain developed more than a decade ago by Ripple Labs, mainly focused on cross -border payments and asset token. Its technical reliability has been one of its flags, so this gap represents a blow to the confidence of the ecosystem, although the nucleus of the network was not affected.

From the security point of view, The incident underlines the importance of auditing open source libraries, especially when they are so integrated into the infrastructure of a cryptocurrency. External units can become entrance doors for complex attacks without directly violating the blockchain network.

Despite the incident, the price of token XRP He showed a slight recovery, rising 4 % on Tuesday, driven by a general upward trend in the crypto market.

What follows

The team behind XRP Ledger He continues to investigate how the malicious code was introduced and promises greater transparency once they conclude its technical analysis. Meanwhile, all developers are recommended to audits their units and rotate keys in case of doubt.

The incident acts as a reminder that even the most robust ecosystems can be threatened by failures in its digital supply chain.

Written article with the help of an AI content editor, edited by Angel Di Matteo / Diariobitcoin

Original image of Diariobitcoin, created with artificial intelligence, for free use, licensed under public domain.

WARNING: Diariobitcoin offers informative and educational content on various topics, including cryptocurrencies, AI, technology and regulations. We do not provide financial advice. Cryptactive investments are high risk and may not be adequate for all. Investigate, consult an expert and verify the applicable legislation before investing. I could lose all its capital.

Subscribe to our newsletter