- A malicious actor used a compromised Ripple dev account to publish commits to NPM
- The commits would grant access to people’s crypto wallets
- They were downloaded around 450 times before being pulled down
A JavaScript library recommended by a major cryptocurrency company has been hijacked, with users now being at risk of losing access to their crypto wallets, as well as the funds stored inside.
Researchers warned omeone managed to break into a NPM account belonging to a developer associated with Ripple.
After breaking into the account, the threat actor modified the NPM JavaScript library named ‘xrpl.js”. Versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of the xrpl NPM package were modified and then published to NPM. The xrpl.js library is used to interact with the XRP Ledger (XRPL) from JavaScript applications, enabling developers to send transactions, check balances, and manage accounts on the network. It is maintained by the XRP Ledger Foundation and is Ripple’s recommended library for interacting with the XPR blockchain via JavaScript.
GitHub not affected
Ripple is a cryptocurrency company that built XRP, currently the fourth biggest cryptocurrency. It is designed for cross-border payments and currency transfers, primarily for financial institutions. At press time, XRP has a market capitalization of $132.34 billion, and a daily transaction volume of $5 billion.
Before being pulled down, the malicious updates amassed 452 downloads. The latest version showing now is 4.2.5 and this one is clean. Users are advised to upgrade immediately. Usually, the library has more than 100,000 downloads a week.
The malicious commits are not found in the GitHub repository, which should mean the attack occurred during the NPM publishing process.
In the meantime, the XRP Ledger Foundation took to X to clarify that the XRP Ledger codebase and GitHub repository were not affected:
“To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately,” it said.
Xaman Wallet, XRPScan, First Ledger, and Gen3 Games projects were not affected.
Via BleepingComputer
