A hacker infiltrated the official XRP Ledger (XRPL) node package manager with malicious code on Monday at 8:53 p.m. UK time. The malware, which is primarily used to steal private keys that allow access to cryptocurrency wallets, led to Aikido’s public threat feed’s first-ever detection. This feed, powered by large language models, tracks and detects emergent malicious code injections into legitimate software.

The supply chain hack of the node package manager, which was downloaded more than 140,000 times last week, was a huge danger to the entire cryptocurrency ecosystem. This recent attack serves as an example that even large and popular decentralized platforms are becoming more vulnerable to supply chain attacks.

Discovery of the Breach

Aikido security researchers found the malicious code in the official XRP Ledger node package maintained by Ripple. The trouble began when a user named mukulljangid published five new malicious versions of the XRPL node package manager. These versions didn’t have matching hashes released on the XRPL Github, which raised immediate suspicion.

The multiple version updates showed the attacker was trying to steal password-like private keys that grant access to crypto wallets. - Charlie Eriksen, an Aikido security researcher

Aikido security researcher, Charlie Eriksen, recently shared some alarming results. The attack was compounded by several version updates that tipped off this determined attacker’s goal of stealing password-like private keys, which give access to crypto wallets. Eriksen was quick to add that the malware was identified quickly enough to stave off what could have been widespread destruction.

Impact on XRP Ledger

The XRP Ledger was borne out of the original XRP blockchain project. It is an open-source, entirely decentralized platform – created and maintained by a global community of innovative businesses and developers. Ripple has always been the major contributor to the development of XRP Ledger, which was ultimately created in 2011 by Ripple’s founders. The platform natively powers and benefits numerous decentralized finance (DeFi) applications. Today, it protects about $80 million in user deposits across these apps.

This was, in hindsight, very serious and could have caused really dangerous disruption. It would have affected millions of consumers and businesses that rely on the XRP Ledger. Fortunately, these incidents were quickly detected and responded to, preventing any damage from occurring.

Security Implications

The nature of the incident highlights just how paramount security measures and ongoing monitoring are in the cryptocurrency world. Supply chain attacks—inserting malicious code into popular software packages—are an ongoing and severe threat.

hundreds of thousands of applications and websites making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem - Charlie Eriksen

According to the XRPL GitHub, our node package manager was downloaded more than 140,000 times last week alone. This very impressive number underscores the huge potential impact it can have. Eriksen described the incident as a potentially catastrophic supply chain attack on the cryptocurrency ecosystem, given the widespread use of the affected applications and websites.