Aikido Security recently discovered a serious vulnerability in the XRP Ledger’s official JavaScript SDK, raising concerns about compromised versions of the XRPL Node Package Manager (NPM) package. The affected versions, v4.2.1 through v4.2.4 and v2.14.2, were found to contain a backdoor capable of exfiltrating private keys, putting crypto wallets at risk. An NPM package is a reusable module for JavaScript and Node.js projects that simplifies installation, updates, and removal processes.
The anomaly was flagged by Aikido Security’s automated threat monitoring platform when an NPM user named “mukulljangid” published new versions of the XRPL package that did not align with tagged releases on the official GitHub repository. The compromised packages contained a function called checkValidityOfSeed, which made calls to an unverified domain, silently transmitting private keys during wallet creation. The attacker went from manual JavaScript manipulations in early versions to deeper integration in later versions of the SDK’s build process.
A targeted attack against the crypto development infrastructure was identified, with the compromised versions also removing development tools from the package.json file to further indicate deliberate tampering. The XRP Ledger Foundation promptly responded to the issue by acknowledging it publicly and working on a fix. XRP Ledger-based companies like Gen3 Games avoided the compromised versions through diligent version control practices, ensuring only exact versions were installed during development and deployment.
Recommendations to mitigate risks include committing the “lockfile” to version control, using Performant NPM (PNPM) when possible, and avoiding the caret (^) symbol in the package.json file to prevent unintended version upgrades. The XRP Ledger’s SDK, distributed through NPM, has over 140,000 downloads per week, making it a widely used tool for developers building applications on the XRP Ledger. The affected versions were promptly removed from the NPM registry, although it remains unclear how many users had integrated them before the vulnerability was discovered.
