A serious security issue has been discovered affecting a JavaScript library used to interact with the XRP Ledger (XRPL). This doesn’t affect the core XRP Ledger itself, but it does pose a significant risk to users of certain applications.
The Problem: Compromised Library
An XRP Ledger validator alerted the community that versions 4.2.1 and higher of the xrpl.js library (from npm, not GitHub) contain a malicious backdoor. This backdoor allows attackers to steal private keys, potentially leading to the loss of user funds. Aikido Security initially discovered this vulnerability.
Ripple and the XRPL Foundation Respond
Ripple’s CTO, David Schwartz, confirmed the compromise was limited to the xrpl.js library on npm, emphasizing that the XRP Ledger itself remains secure. Ripple engineer Mayukha Vadari reiterated this, urging users to avoid services that have access to their private keys until they’ve confirmed those services are safe.
The XRP Ledger Foundation quickly acted, deprecating the compromised versions on npm and releasing updated, secure versions (4.2.5 and 2.14.3). They’ve also promised a full report on the incident soon.
What You Should Do
- If you’re a developer: Immediately update your
xrpl.jslibrary to version 4.2.5 or 2.14.3, depending on your branch. - If you’re a user: Avoid using any services that access your private keys until you’re certain they’ve updated their
xrpl.jslibrary.
The situation is under control, thanks to the swift response from the XRP Ledger Foundation and Ripple. However, immediate action is crucial to protect your funds.