A threat actor apparently exploited the developer’s access token of a large XRP book to publish unlawful code for the full -boom network in a decision that could have been “catastrophic” for the network, the security team that spotted the problem said in an update.
Charlie Eriksen, a researcher at Aikido Security who first spotted the problem, said that a hidden problem was added to the recent versions of a new toolbox used to create applications that work with the Ledger XRP.
“The Access toy for the NPM of a developer was stolen by threat actors,” said Aikido on X. “We don’t know how right now. We don’t know who are the threat actors at the moment (although we have an intuition that we are trying to confirm).”
The problem affects only the versions of Node Package Manager (NPM), a site where developers share reusable code for projects. The main services linked to XRP, such as Xaman Wallet and Xrpscan, said they were not affected in separate X articles.
This flaw could allow attackers to steal the private keys to users, possibly accessing their cryptographic wallets in theory.
“As of April 21, 20:53 GMT + 0, our system, Aikido Intel began to alert us on five new package packages of the XRPL package. This is the official XRP LEDGER SDK, with more than 140,000 weekly downloads,” said Eriksen in a security update.
“This package is used by hundreds of thousands of applications and websites, making it a potentially catastrophic supply chain attack against cryptocurrency ecosystem,” noted Eriksen.
He added that only third party applications or services that have installed erroneous versions for a short period could be at risk.
As such, the XRP LEDGER Foundation team quickly solved the problem by publishing updated versions of the tool to replace the defective versions. The affected versions (V4.2.1-4.2.4 and V2.14.2) were obsolete.
“To clarify: this vulnerability is in XRPL.JS, a JavaScript library to interact with the large XRP book. It does not affect the XRP LEDGER code base or the GitHub repository itself. The projects using XRPL.JS should go to V4.2.5 Immediately”, the foundation published separately.
A JavaScript library is a collection of pre-written code to simplify tasks in web development. A Github repo is an online storage space for code, files and the history of a project, hosted on Github.
XRP prices have increased by 8.5% in the last 24 hours as well as the larger market leap.
