Ripple NPM Package xrpl.js Targeted by Hackers with a Backdoor that Steals Private Keys

The official Ripple package XRP Ledger (XRPL), an NPM package, was compromised by sophisticated attackers who installed a backdoor to extract crypto keys, gaining access to private wallets. Ripple discovered the breach when five new packages were added to the XRP Ledger (XRPL) repository. The package averages 140,000 downloads every week. Thousands of websites and apps use the package. The breach, if left unaddressed, could have caused severe damage to crypto markets, leading to a supply chain disruption that could have spread to other markets. The five new packages added to GitHub did not align with previous releases, raising suspicions about the changes made to the code.

The malicious code communicated with a newly registered domain name, 0x9c.xyz, which was used during the wallet creation process, allowing the attackers to access private keys. Analysis of the code reveals that the attackers refined their methods over time. Initially, they coded the exploit in plain code, and then advanced to disguising the backdoor with TypeScript code. Ripple has advised people affected by the attack to check their logs to see whether there is outgoing traffic to the suspicious domain name. Furthermore, applications using the Ripple Ledger should rotate their wallet addresses to prevent future attacks by malicious actors. The compromised XRPL included versions 4.2.1 and 4.2.4. Ripple released new versions that mitigate the threat, including versions 4.2.5 and 2.14.3. Affected users should move their assets immediately to new addresses.

The attackers added a method named checkValidityOfSeed() at the end of the file /src/index.ts in the compromised versions. The method allows users to send a String to the web address 0x9c.xyz/xcm, where attackers can store the retrieved data. The method sends the data using an HTTP POST request. The attackers further disguised the request method as an advertisement referral service to hide their activities from network monitoring scanners. The method checkValidityOfSeed() allows attackers to steal private keys, mnemonics, and seeds. 

The XRP Ledger Foundation (XRPLF) is responsible for maintaining the xrpl.js library, which is an official package used to communicate with Ripple through JavaScript. The xrpl.js library allows programmers to access wallet features, transfer Ripple tokens, and interact with the Ripple blockchain. The package is used widely, with an average of 140,000 downloads per week. Malicious code was inserted in versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4. Ripple has released a fixed version 4.2.5.

Developers are advised to replace any infected versions as soon as possible. The problem with these attacks is that they can infect libraries used by developers and then affect general users who download already compromised apps. Ripple has removed any NPM packages that were infected. Ripple assured users that the attack only affected the xrpl.js package and not the core repository for Ripple.

“This vulnerability”, wrote Ripple Foundation, “is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or the GitHub repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.”

Coinbase suffered a similar attack in March when attackers targeted their open-source AgentKit. The attack targeted supply chains, identical to the XRPL attack, and aimed to exploit crypto-related projects. However, Coinbase was able to foil the attack and prevent any damage to its supply chain. The North Korean hacking group Lazarus also targeted NPM repositories, using a trick to create repositories with names similar to those of official libraries.

Ripple has recently experienced significant gains in the American market, following the SEC’s settlement with the crypto company. The change in American regulation has allowed the Ripple network to expand its business practices and focus on innovation. The XRP price has increased by around 300% since Trump’s inauguration. Ripple has similar price dynamics, in terms of volatility, to other coins like Stellar and TRON, which may be due to overlapping remittance markets. There is now a push to release an XRP ETF. Coinbase, further, released an XRP futures market on its derivatives platform, announcing the change on April 21.