XRP Ledger Foundation Acts Fast on XRPL.js Bug; Threat Neutralized

A critical security breach has rattled the XRP development community following discovery of a backdoor in XRPL.js package versions 4.2.1 through 4.2.4 on NPM. The malicious code, present in versions 4.2.1 through 4.2.4, was capable of stealing users’ private keys and transmitting them to attackers.

This prompted Ripple’s Chief Technology Officer, David Schwartz, to issue a public warning. Developers using these compromised versions are strongly advised to treat any exposed credentials as compromised.

The breach, first reported by Aikido Security, revealed the NPM distribution of XRPL.js was altered with key-stealing code; the GitHub repository was not affected. This suggests only the NPM channel was compromised.

Consequently, developers using trusted sources like GitHub remain unaffected. RippleX’s senior engineer Mayukha Vadari confirmed the core XRP Ledger is still safe and operating normally.

In less than 24 hours, the malicious versions were removed from NPM. A secure version, 4.2.5, has now been published as a fix. Additionally, users operating on the 2.x branch can safely use version 2.14.3. The quick action by the XRP Ledger Foundation and the broader Ripple development team helped contain what could have been a widespread threat.

The exploit raised concerns across the blockchain dev community, particularly services integrating XRPL.js. Wallet providers Xaman, First Ledger, and Gen3Games announced they were not compromised. The XRP Ledger Foundation also removed the malicious packages.