The XRP Ledger community is on high alert after a critical vulnerability was discovered in the xrpl.js package, a popular JavaScript library used to interact with the XRP Ledger network. The flaw, identified by Charlie Eriksen, a malware researcher at Aikido Security, introduced a malicious backdoor that could allow attackers to access private keys and control third-party wallets.
Vulnerability Details
The vulnerability affects specific versions of xrpl.js, namely v4.2.1 to v4.2.4 and v2.14.2. The XRP Ledger Foundation has confirmed that the issue is limited to the xrpl.js package and does not impact the XRP Ledger’s source code or GitHub repository. Users are urged to update to the secure version v4.2.5 immediately.
The affected library is used by hundreds of thousands of applications, including wallet services, block explorers, and payment platforms operating on the XRP Ledger network. However, some projects, such as Xaman Wallet and XRPScan, have confirmed that their systems were not compromised as they do not automatically update their dependencies.
Potential Impact
Eriksen warns that users who may have been affected should assume the worst and take immediate action. “If you think you might have been affected, you should assume that any private key or seed processed by that code has been compromised,” he said. “Those keys should no longer be used, and associated assets should be transferred to a new wallet immediately.”
The incident highlights the importance of auditing open-source libraries, especially those deeply integrated into a cryptocurrency’s infrastructure. External dependencies can become entry points for complex attacks without directly breaching the blockchain network. The XRP Ledger Foundation has committed to publishing a comprehensive report on the incident once their analysis is complete.
Market Reaction
Despite the incident, the price of XRP showed a slight recovery, rising 4% on Tuesday, driven by a general uptrend in the crypto market. The XRP Ledger team continues to investigate how the malicious code was introduced and promises greater transparency once their technical analysis is concluded.