Ripple's XRPL Package Hacked, Users' Private Keys Stolen

Ripple's official NPM package, XRP Ledger (XRPL), was compromised by hackers who installed a backdoor to steal private keys from users' wallets. The breach was discovered when five new packages were added to the XRP Ledger (XRPL) repository, which did not align with previous releases, raising suspicions about the changes made to the code. The malicious code communicated with a newly registered domain name, 0x9c.xyz, which was used during the wallet creation process, allowing the attackers to access private keys. The attackers refined their methods over time, initially coding the exploit in plain code and then disguising the backdoor with TypeScript code.

Ripple has advised affected users to check their logs for outgoing traffic to the suspicious domain name and to rotate their wallet addresses to prevent future attacks. The compromised versions included 4.2.1 and 4.2.4, and Ripple has released new versions, 4.2.5 and 2.14.3, to mitigate the threat. Affected users should move their assets immediately to new addresses. The attackers added a method named checkValidityOfSeed() at the end of the file /src/index.ts in the compromised versions, allowing users to send a String to the web address 0x9c.xyz/xcm, where attackers can store the retrieved data. The method sends the data using an HTTP POST request and disguises the request method as an advertisement referral service to hide their activities from network monitoring scanners. The method checkValidityOfSeed() allows attackers to steal private keys, mnemonics, and seeds.

The XRP Ledger Foundation (XRPLF) is responsible for maintaining the xrpl.js library, which is an official package used to communicate with Ripple through JavaScript. The xrpl.js library allows programmers to access wallet features, transfer Ripple tokens, and interact with the Ripple blockchain. The package is used widely, with an average of 140,000 downloads per week. Malicious code was inserted in versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4. Ripple has released a fixed version 4.2.5. Developers are advised to replace any infected versions as soon as possible. The problem with these attacks is that they can infect libraries used by developers and then affect general users who download already compromised apps. Ripple has removed any NPM packages that were infected. Ripple assured users that the attack only affected the xrpl.js package and not the core repository for Ripple.

This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or the GitHub repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately. Coinbase suffered a similar attack in March when attackers targeted their open-source AgentKit. The attack targeted supply chains, identical to the XRPL attack, and aimed to exploit crypto-related projects. However, Coinbase was able to foil the attack and prevent any damage to its supply chain. The North Korean hacking group Lazarus also targeted NPM repositories, using a trick to create repositories with names similar to those of official libraries.

Ripple has recently experienced significant gains in the American market, following the SEC’s settlement with the crypto company. The change in American regulation has allowed the Ripple network to expand its business practices and focus on innovation. The XRP price has increased by around 300% since Trump’s inauguration. Ripple has similar price dynamics, in terms of volatility, to other coins like Stellar and TRON, which may be due to overlapping remittance markets. There is now a push to release an XRP ETF. Coinbase, further, released an XRP futures market on its derivatives platform, announcing the change on April 21.

Ask Aime: What are the potential consequences of the Ripple XRP Ledger hack?