XRP Community on High Alert Due to Security Warning
The XRP community is on high alert after a significant security warning was raised by Aikido Security, a platform specializing in cybersecurity. In a recent tweet, Aikido disclosed the existence of a backdoor embedded in the official NPM package for XRPL, which is widely used in JavaScript and TypeScript applications that require enhanced functionality with the XRP Ledger.
This malicious backdoor captures private keys and transmits them to cybercriminals, prompting Aikido to urgently notify all developers and projects within the XRP ecosystem.
Advisory Against Compromised Versions
Developers have been advised to avoid using versions 4.2.1 to 4.2.4 of the XRPL NPM package, as these are the compromised releases that put every account created with them at substantial risk. Specifically, the vulnerable versions have been identified as 4.2.4, 2.14.2, 4.2.3, 4.2.2, and 4.2.1.
“Be aware. Ensure your project does not employ the latest NPM version, as it will endanger all accounts associated with this library.” – Thomas Silkjaer, InFTF
Additionally, XRPL dune validator Vet echoed the sentiment, warning that developers using the XRPL JS library should refrain from updating to any version 4.2.1 or higher, emphasizing that such an update poses significant risks to user funds.
“Every project utilizing the latest version of XRPL JS is at risk—please inform all developers and projects about this issue.” – Vet
Urgent Responses and Recommendations
Urgency around this matter intensified when infrastructure provider Alloy Network reaffirmed Aikido’s concerns through their own social media, urging users to revert if they had recently updated. According to software engineer Denis Angell of XRPL Labs and Xahau, the current secure release of xrpl.js is still at version 4.2.0, which is unaffected by the backdoor issue.
Clarifications from XRPL Labs
In a reassuring note to users, XRPL Labs clarified that their Xaman Wallet is not impacted by this breach, as they rely on proprietary infrastructure and libraries and do not utilize third-party packages like xrpl.js for critical functions related to private keys or transactions. Thus, users of Xaman can remain uninhibited by the current vulnerabilities affecting other libraries.
