A serious software vulnerability has been discovered in a recently updated version of the XRP Ledger’s JavaScript development library, raising alarms across the cryptocurrency developer community.
The XRP Ledger Foundation has disclosed that a vulnerability has been found in multiple versions of the xrpl JavaScript package, a widely used software development kit for interacting with the XRP Ledger.
According to the foundation, the vulnerability was discovered by Charlie Eriksen, a malware researcher at Aikido Security, who described the issue as a “potentially devastating” supply chain attack.
“This vulnerability could allow malicious actors to steal users’ private keys and gain unauthorized access to wallets,” Eriksen warned, but it remains unclear whether any users are directly affected.
Affected versions include v4.2.1 through v4.2.4 and v2.14.2. The XRP Ledger engineering team has since released v4.2.5, which invalidates the compromised packages. Users and developers relying on the affected versions are strongly advised to update immediately.
The foundation said the following in a follow-up statement on social media:
“To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does not impact the XRP Ledger codebase or the GitHub repository itself.”
The malicious code appears to have been introduced via the Node Package Manager (NPM), a widely used platform for sharing JavaScript packages. Projects like Xaman Wallet and XRPScan confirmed that their services were likely unaffected as they had not adopted the compromised versions.
The XRP Ledger Foundation stated that a full post-mortem on the incident will be published once more information on how the backdoor was exploited becomes available.
*This is not investment advice.
Source: https://en.bitcoinsistemi.com/xrp-foundation-makes-statement-about-vulnerability-that-could-result-in-users-assets-being-stolen-must-update-immediately/