The XRP Foundation has made the first announcement regarding a security vulnerability that could result in the theft of users' Holdings: "It should be updated immediately".
A serious software vulnerability was discovered in a recently updated version of the XRP Ledger's JavaScript development library, raising alarms throughout the cryptocurrency developer community.
The XRP Ledger Foundation announced that a vulnerability was found in multiple versions of the xrpl JavaScript package, which is a widely used software development kit for interacting with the XRP Ledger.
According to the foundation, this was detected by Charlie Eriksen, a malware researcher at Aikido Security, who described the issue as a "potentially destructive" supply chain attack.
Eriksen warned that "This security vulnerability may allow malicious individuals to steal users' private keys and gain unauthorized access to wallets," but it remains uncertain whether any user is directly affected.
Affected versions include those ranging from v4.2.1 to v4.2.4 and v2.14.2. The XRP Ledger engineering team has since released version v4.2.5, which invalidates the compromised packages. Users and developers relying on the affected versions are strongly advised to update immediately.
The foundation said the following in its statement made via social media:
"To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does not affect the XRP Ledger codebase or the GitHub repository itself."
Malicious code appears to have been introduced via Node Package Manager (NPM), a platform commonly used for sharing JavaScript packages. Projects like Xaman Wallet and XRPScan have confirmed that their services are likely unaffected as they did not adopt the compromised versions.
The XRP Ledger Foundation stated that a full post-mortem will be published once more information is obtained regarding how the backdoor was used.
The content is for reference only, not a solicitation or offer. No investment, tax, or legal advice provided. See Disclaimer for more risks disclosure.
The XRP Foundation has made the first announcement regarding a security vulnerability that could result in the theft of users' Holdings: "It should be updated immediately".
A serious software vulnerability was discovered in a recently updated version of the XRP Ledger's JavaScript development library, raising alarms throughout the cryptocurrency developer community.
The XRP Ledger Foundation announced that a vulnerability was found in multiple versions of the xrpl JavaScript package, which is a widely used software development kit for interacting with the XRP Ledger.
According to the foundation, this was detected by Charlie Eriksen, a malware researcher at Aikido Security, who described the issue as a "potentially destructive" supply chain attack.
Eriksen warned that "This security vulnerability may allow malicious individuals to steal users' private keys and gain unauthorized access to wallets," but it remains uncertain whether any user is directly affected.
Affected versions include those ranging from v4.2.1 to v4.2.4 and v2.14.2. The XRP Ledger engineering team has since released version v4.2.5, which invalidates the compromised packages. Users and developers relying on the affected versions are strongly advised to update immediately.
The foundation said the following in its statement made via social media:
"To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does not affect the XRP Ledger codebase or the GitHub repository itself."
Malicious code appears to have been introduced via Node Package Manager (NPM), a platform commonly used for sharing JavaScript packages. Projects like Xaman Wallet and XRPScan have confirmed that their services are likely unaffected as they did not adopt the compromised versions.
The XRP Ledger Foundation stated that a full post-mortem will be published once more information is obtained regarding how the backdoor was used.