A coordinated, elaborate supply chain exploit aimed at Ripple’s XRP Ledger that had the potential to leave the network wide open to attack. The vulnerability was reported to CoinDesk by Charlie Eriksen, a malware researcher at Aikido Security, a blockchain security auditing firm. As detailed in the exploit, this attack was made possible through the compromise of a Ripple employee’s npm account, under the username ‘mukulljangid.’

The xrpl.js JavaScript library is one of the most commonly used tools for interacting with the XRP Ledger network. Yet the latest versions have recently been found to have malicious code. Aikido Security’s team found a backdoor in the library that was set up to steal private keys and send them to attackers. The versions of the xrpl.js library that are impacted are 4.2.1 – 4.2.4. Users of previous versions of the library were urged not to update to these compromised versions. The library boasts over 140,000 weekly downloads.

The goal of the attack was to extract the most sensitive data, such as private keys, wallet seeds, and mnemonics. This sensitive information was subsequently sent to an attacker-controlled destination, 0x9c[.]xyz.

This back door steals private keys and sends them to attackers. - Aikido team

The vulnerability was originally discovered by Aikido Security. Added security researcher Charlie Eriksen, the account that had been compromised opened a backdoor.

The official XRPL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets. - Charlie Eriksen, a malware researcher at Aikido Security

This immediate and urgent response contained the breach and avoided a widespread distribution of the malicious library. Security researcher, Charlie Eriksen, wrote an excellent post mortem of the incident on Aikido Security’s blog.