Disclaimer: The opinions expressed by our writers are their own and do not represent the views of U.Today. The financial and market information provided on U.Today is intended for informational purposes only. U.Today is not liable for any financial losses incurred while trading cryptocurrencies. Conduct your own research by contacting financial experts before making any investment decisions. We believe that all content is accurate as of the date of publication, but certain offers mentioned may no longer be available.
The XRP community has received a critical security alert following a recent tweet by security platform Aikido Security.
In a tweet, Aikido Security said it had discovered a backdoor in the official XRPL NPM package, a popular library for integrating a JavaScript/TypeScript app with the XRP Ledger when advanced functionality is required. This back door steals private keys and sends them to attackers, prompting an urgent alert to all XRP developers and projects.
According to Aikido Security, versions 4.2.1 to 4.2.4 of the XRPL NPM package were compromised. It listed the compromised versions as 4.2.4, 2.14.2, 4.2.3, 4.2.2 and 4.2.1.
Tomiwabold OlajideThomas Silkjaer, Head of Analytics and Compliance at InFTF, retweeted Aikido Security's post and issued a warning: "Be aware. Make sure your project is not using the latest NPM version, as it will compromise all accounts created with the library."
What's going on?
Vet, an XRPL dune validator, echoed a similar warning: "XRP Ledger Devs and Projects—if you use XRPL JS library, don’t update or use any version 4.2.1 or higher. It’s compromised—any project utilizing the newest version of XRPL JS is putting users and funds at risk. Please let every project and developer know about this."
Alex DovbnyaInfrastructure provider Alloy Network tweeted an urgent alert while sharing Aikido Security's warning: "This is verified. The latest version of the npm package is compromised. Roll back if you’re on the latest. Immediately."
Denis Angell, a software engineer at XRPL Labs and Xahau, stated that the current stable version of xrpl.js is 4.2.0.
Xaman Builder, XRPL Labs, stated that "the compromised xrpl.js NPM package does not affect Xaman Wallet. Xaman uses in-house infrastructure and libraries developed by XRPL Labs. We do not rely on third-party libraries like xrpl.js to handle private keys or transactions. Xaman users are not affected."
Vladislav Sopov
Dan Burgin