- A malicious actor used a compromised Ripple dev account to publish commits at NPM
- The Commites would grant access to the cryptographic portfolios of people
- They were downloaded about 450 times before being slaughtered
A JavaScript library recommended by a large cryptocurrency company has been diverted, users being now risky to lose access to their cryptographic wallets, as well as the funds stored inside.
The researchers warned that we had managed to enter an NPM account belonging to a developer associated with Ripple.
After entering the account, the threat actor modified the JavaScript NPM library named ‘XRPL.JS “. Versions 2.14.2, 4.2.1, 4.2.2, 4.2.3 and 4.2.4 of the NPM XRPL package was modified and then published at NPM. The XRPL.JS Library is used to intervene with the developers (XRPL) of JavaScript Applications, withdraw the developers of XVAScript Transactions XRP (XRPL), Verification of the sales and manage the accounts on the network.
Not affected github
Ripple is a cryptocurrency company that has built XRP, currently the fourth largest cryptocurrency. It is designed for cross -border payments and currency transfers, mainly for financial institutions. At the time of the press, XRP has a market capitalization of $ 132.34 billion and a daily volume of transactions of $ 5 billion.
Before being lowered, malicious updates have raised 452 downloads. The latest version now showing is 4.2.5 and it is clean. Users are advised to upgrade immediately. Usually the library has more than 100,000 downloads per week.
The malicious commits are not found in the GitHub repository, which should mean that the attack occurred during the process of publication of the NPM.
In the meantime, the XRP Ledger Foundation brought to X to specify that the XRP Ledger code base and the Github repository were not affected:
“To clarify: this vulnerability is in XRPL.JS, a JavaScript library to interact with the large XRP book. It does not affect the XRP LEDGER code base or the GitHub repository itself. The projects using XRPL.JS should upgrade to the V4.2.5 Immediately,” he said.
The Xaman Wallet, XRPSCAN, First Ledger and Gen3 projects were not affected.
Via Bleeping Compompute
