430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The popular xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack

The xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack aimed at stealing users’ private keys. Threat actors compromised the Ripple cryptocurrency npm JavaScript library xrpl.js to harvest users’ private keys. xrpl.js is the recommended library for integrating a JavaScript/TypeScript app with the XRP, it has more than 140.000 weekly downloads. Hundreds of thousands of […]

Ripple

The xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack aimed at stealing users’ private keys.

Threat actors compromised the Ripple cryptocurrency npm JavaScript library xrpl.js to harvest users’ private keys.

xrpl.js is the recommended library for integrating a JavaScript/TypeScript app with the XRP, it has more than 140.000 weekly downloads. Hundreds of thousands of applications and websites use this package, the package has been downloaded over 2.9 million times to date.

On April 21, Aikido Intel detected that the official xrpl NPM package was compromised with a backdoor as part of a supply chain attack.

“At 21 Apr, 20:53 GMT+0, our system, Aikido Intel started to alert us to five new package version of the xrpl package. It is the official SDK for the XRP Ledger, with more than 140.000 weekly downloads.” reads the report published by Aikido. “We quickly confirmed the official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets. “

The researchers investigated the supply chain attack and discovered that five xrpl package versions (4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2) contained malicious code. The user 'mukulljangid‘ released all five malware-laced versions of the library starting from 21 Apr, 20:53 GMT+0.

The researchers noticed the presence of a function named checkValidityOfSeed in the code that was used to exfiltrate the stolen information to the domain “0x9c [.] xyz”.

Ripple cryptocurrency npm JavaScript library xrpl.js 

At this time, it is unclear who is behind the attack, however, the experts pointed out that multiple version bumps occurred as attackers refined their methods. Version 4.2.1 removed key configs; 4.2.2 introduced malicious JavaScript. Later versions (4.2.3, 4.2.4) added backdoors in TypeScript, showing the attacker’s evolving tactics to avoid detection and moving from manual code insertion to compiled backdoors.

The problem has been fixed in versions 4.2.5 and 2.14.3.

Users of the xrpl.js library are urged to update to versions 4.2.5 or 2.14.3 to mitigate risks from the recent supply chain attack.

The company provided indicators of compromise to check whether users’ systems may have been affected by the malicious versions of the library.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ripple)