{"id":23574,"date":"2025-04-24T13:49:22","date_gmt":"2025-04-24T13:49:22","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=23574"},"modified":"2025-04-24T13:49:22","modified_gmt":"2025-04-24T13:49:22","slug":"crypto-stealing-code-found-in-xrp-toolkit-devs-urged-to-update","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=23574","title":{"rendered":"Crypto-Stealing Code Found in XRP Toolkit, Devs Urged to Update"},"content":{"rendered":"<div>\n<p><span data-preserver-spaces=\"true\">Well, this <\/span><span data-preserver-spaces=\"true\">one\u2019s<\/span><span data-preserver-spaces=\"true\"> a <\/span><span data-preserver-spaces=\"true\">developer\u2019s<\/span><span data-preserver-spaces=\"true\"> worst nightmare. The XRP Ledger Foundation <\/span><span data-preserver-spaces=\"true\">just<\/span><span data-preserver-spaces=\"true\"> had to clean up a major mess after discovering that a commonly used JavaScript library in the XRP ecosystem had <\/span><span data-preserver-spaces=\"true\">been compromised<\/span><span data-preserver-spaces=\"true\">. The library, called xrpl.js, <\/span><span data-preserver-spaces=\"true\">was hiding<\/span><span data-preserver-spaces=\"true\"> a nasty little backdoor that could steal your private keys. The XRP Ledger exploit was traced back to a malicious version of the xrpl.js library, putting thousands of wallets at risk.<\/span><\/p>\n<p><span data-preserver-spaces=\"true\">On April 21, blockchain security firm <a class=\"general-link\" href=\"https:\/\/www.aikido.dev\/blog\/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor\" target=\"_blank\" rel=\"nofollow noopener nofollow\">Aikido sounded the alarm<\/a>. They noticed that someone had uploaded five suspicious versions of xrpl.js to the npm package registry, all signed by an unknown publisher <\/span><span data-preserver-spaces=\"true\">going by the name<\/span><span data-preserver-spaces=\"true\"> \u201c<\/span><span data-preserver-spaces=\"true\">mukulljangid<\/span><span data-preserver-spaces=\"true\">.<\/span><span data-preserver-spaces=\"true\">\u201d <\/span><span data-preserver-spaces=\"true\">Weirdest part? These versions <\/span><span data-preserver-spaces=\"true\">didn\u2019t<\/span><span data-preserver-spaces=\"true\"> exist on the <\/span><span data-preserver-spaces=\"true\">library\u2019s<\/span><span data-preserver-spaces=\"true\"> official GitHub, which was a huge red flag.<\/span><\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/1f6a8.png\" alt=\"\ud83d\udea8\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\">We have discovered a backdoor in the official <a href=\"https:\/\/twitter.com\/hashtag\/xrpl?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">#xrpl<\/a> NPM package. This back door steals private keys and sends them to attackers. The affected versions 4.2.1 \u2013 4.2.4, if you are using an earlier version, do not upgrade.<a href=\"https:\/\/twitter.com\/hashtag\/crypto?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">#crypto<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/malware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">#malware<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/npm?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">#npm<\/a> <a href=\"https:\/\/t.co\/wshcTFKjbR\" target=\"_blank\" rel=\"nofollow\">pic.twitter.com\/wshcTFKjbR<\/a><\/p>\n<p>\u2014 Aikido Security (@AikidoSecurity) <a href=\"https:\/\/twitter.com\/AikidoSecurity\/status\/1914610391218299190?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"nofollow\">April 22, 2025<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><span data-preserver-spaces=\"true\">Digging into the code, Aikido found a function called checkValidityOfSeed hidden inside the wallet creation process. It was doing one thing, quietly sending private keys <\/span><span data-preserver-spaces=\"true\">off<\/span><span data-preserver-spaces=\"true\"> to an outside domain called 0x9c.xyz. In short, any app using one of those versions could have leaked <\/span><span data-preserver-spaces=\"true\">users\u2019<\/span><span data-preserver-spaces=\"true\"> wallet credentials without them ever knowing.<\/span><\/p>\n<p><span data-preserver-spaces=\"true\">The XRP Ledger Foundation acted fast. They pulled the infected versions from npm and pushed out a clean one, version 4.2.5. <\/span><span data-preserver-spaces=\"true\">Developers were told<\/span><span data-preserver-spaces=\"true\"> to upgrade immediately to shut the door on the exploit.<\/span><\/p>\n<h2><strong><span data-preserver-spaces=\"true\">The Impact of this Discovered Exploit<\/span><\/strong><\/h2>\n<p><span data-preserver-spaces=\"true\">This<\/span> <span data-preserver-spaces=\"true\">wasn\u2019t<\/span><span data-preserver-spaces=\"true\"> just a <\/span><span data-preserver-spaces=\"true\">small<\/span><span data-preserver-spaces=\"true\"> blip either. xrpl.js is a big part of the XRP developer toolkit, clocking over 140,000 <\/span><span data-preserver-spaces=\"true\">downloads a week<\/span><span data-preserver-spaces=\"true\">. That means any project that integrated one of the malicious versions could have unknowingly put users at risk.<\/span><\/p>\n<div class=\"chart crypto-chart-instance\" id=\"crypto_chart_680a3eaa9c3e8\" data-coin-id=\"xrp-xrp\">\n<div class=\"chart__header\">\n<div class=\"chart__info\">\n<div class=\"chart__info-icon\">\n                <img id=\"crypto_chart_680a3eaa9c3e8-chart__info-icon-img\">\n            <\/div>\n<div class=\"chart__info-name\" id=\"crypto_chart_680a3eaa9c3e8-chart__info-name\">&#8211;<\/div>\n<div class=\"chart__info-label\">Price<\/div>\n<div class=\"chart__info-label\">Market Cap<\/div>\n<div class=\"chart__info-value\" id=\"crypto_chart_680a3eaa9c3e8-chart__info-symbol\">&#8211;<\/div>\n<div class=\"chart__info-value\" id=\"crypto_chart_680a3eaa9c3e8-chart__info-price\">&#8211;<\/div>\n<div class=\"chart__info-value\" id=\"crypto_chart_680a3eaa9c3e8-chart__info-marketcap\">&#8211;<\/div>\n<\/p><\/div>\n<div class=\"chart__controls\">\n<div class=\"chart__controls-group\">\n                <button class=\"chart__button chart__button--24h\" id=\"crypto_chart_680a3eaa9c3e8-btn-24h\">24h<\/button><br \/>\n                <button class=\"chart__button chart__button--7d\" id=\"crypto_chart_680a3eaa9c3e8-btn-7d\">7d<\/button><br \/>\n                <button class=\"chart__button chart__button--30d\" id=\"crypto_chart_680a3eaa9c3e8-btn-30d\">30d<\/button><br \/>\n                <button class=\"chart__button chart__button--1y\" id=\"crypto_chart_680a3eaa9c3e8-btn-1y\">1y<\/button><br \/>\n                <button class=\"chart__button chart__button--all-time\" id=\"crypto_chart_680a3eaa9c3e8-btn-all-time\">All Time<\/button>\n            <\/div>\n<div class=\"chart__controls-group\">\n                <button class=\"chart__button chart__button--logarithmic\" id=\"crypto_chart_680a3eaa9c3e8-btn-log\">Log<\/button>\n            <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"chart__container\">\n        <canvas class=\"chart__canvas\" id=\"crypto_chart_680a3eaa9c3e8-cryptoChart\"><\/canvas>\n    <\/div>\n<\/div>\n<p><b>DISCOVER: <\/b><a href=\"https:\/\/99bitcoins.com\/cryptocurrency\/high-risk-high-reward-crypto\/\"><b>9+ Best High-Risk, High\u2013Reward Crypto to Buy in March 2025<\/b><\/a><\/p>\n<p><span data-preserver-spaces=\"true\">Luckily, not everyone was affected. Established platforms<\/span><span data-preserver-spaces=\"true\">\u00a0in the XRP ecosystem <\/span><span data-preserver-spaces=\"true\">like<\/span><span data-preserver-spaces=\"true\"> XRPScan, First Ledger, and Gen3 <\/span><span data-preserver-spaces=\"true\">Games<\/span><span data-preserver-spaces=\"true\"> said they were in the clear.<\/span> <span data-preserver-spaces=\"true\">Still, the fact that a compromised <\/span><span data-preserver-spaces=\"true\">version of the core library<\/span><span data-preserver-spaces=\"true\"> got published and downloaded is a <\/span><span data-preserver-spaces=\"true\">serious<\/span><span data-preserver-spaces=\"true\"> reminder of just how fragile software supply chains can be.<\/span><\/p>\n<p><span data-preserver-spaces=\"true\">Even with the scare, <\/span><span data-preserver-spaces=\"true\">XRP\u2019s<\/span><span data-preserver-spaces=\"true\"> market price <\/span><span data-preserver-spaces=\"true\">didn\u2019t<\/span><span data-preserver-spaces=\"true\"> flinch. The token <\/span><span data-preserver-spaces=\"true\">actually<\/span><span data-preserver-spaces=\"true\"> ended the day up more than 3.5 percent, sitting pretty with a market cap north of $125 billion. <\/span><span data-preserver-spaces=\"true\">So<\/span><span data-preserver-spaces=\"true\"> while the devs were scrambling behind the scenes, the market <\/span><span data-preserver-spaces=\"true\">didn\u2019t<\/span><span data-preserver-spaces=\"true\"> seem too spooked.<\/span><\/p>\n<h2><strong><span data-preserver-spaces=\"true\">XRP Ledger Exploit: Security Recommendations<\/span><\/strong><\/h2>\n<p><span data-preserver-spaces=\"true\">If <\/span><span data-preserver-spaces=\"true\">you\u2019re<\/span><span data-preserver-spaces=\"true\"> a developer working with xrpl.js, <\/span><span data-preserver-spaces=\"true\">here\u2019s<\/span> <span data-preserver-spaces=\"true\">the quick<\/span><span data-preserver-spaces=\"true\"> checklist:<\/span><\/p>\n<ul>\n<li><span data-preserver-spaces=\"true\">Update immediately to version 4.2.5 or roll back to 2.14.3, which was not affected<\/span><\/li>\n<li><span data-preserver-spaces=\"true\">If <\/span><span data-preserver-spaces=\"true\">there\u2019s<\/span><span data-preserver-spaces=\"true\"> any chance a compromised version touched your environment, rotate your private keys<\/span><\/li>\n<li><span data-preserver-spaces=\"true\">Use <\/span><span data-preserver-spaces=\"true\">lockfiles<\/span><span data-preserver-spaces=\"true\"> to avoid surprise updates sneaking into your build<\/span><\/li>\n<li><span data-preserver-spaces=\"true\">Be cautious with versioning symbols like ^ in your package.json since they can silently pull in minor updates<\/span><\/li>\n<\/ul>\n<h2><strong><span data-preserver-spaces=\"true\">Conclusion<\/span><\/strong><\/h2>\n<p><span data-preserver-spaces=\"true\">This incident is a textbook example of a supply chain attack and shows how even trusted libraries can become attack vectors. With crypto, the stakes are high <\/span><span data-preserver-spaces=\"true\">and<\/span><span data-preserver-spaces=\"true\"> the window for error is small. <\/span><span data-preserver-spaces=\"true\">If <\/span><span data-preserver-spaces=\"true\">you\u2019re<\/span><span data-preserver-spaces=\"true\"> building in this space, staying paranoid might <\/span><span data-preserver-spaces=\"true\">just<\/span><span data-preserver-spaces=\"true\"> save your project, and your <\/span><span data-preserver-spaces=\"true\">users\u2019<\/span><span data-preserver-spaces=\"true\"> funds.<\/span><\/p>\n<p><strong><span data-preserver-spaces=\"true\">DISCOVER:\u00a0<\/span><a class=\"editor-rtfLink\" href=\"https:\/\/99bitcoins.com\/cryptocurrency\/next-crypto-to-explode\/\" target=\"_blank\" rel=\"noopener\"><span data-preserver-spaces=\"true\">20+ Next Crypto to Explode in 2025\u00a0<\/span><\/a><\/strong><\/p>\n<p><strong><a class=\"editor-rtfLink\" href=\"https:\/\/discord.gg\/B7Uk6agkqj\" target=\"_blank\" rel=\"noopener nofollow\"><span data-preserver-spaces=\"true\">Join The 99Bitcoins News Discord Here For The Latest Market Updates<\/span><\/a><\/strong><\/p>\n<p><span data-preserver-spaces=\"true\">    <\/p>\n<div class=\"nnbtc-key-takeaways\">\n<h3 class=\"nnbtc-key-takeaways__title\"><\/h3>\n<p><span data-preserver-spaces=\"true\">    <\/p>\n<ul class=\"nnbtc-key-takeaways__list\">\n        <\/ul>\n<p><\/span><\/p>\n<p><span data-preserver-spaces=\"true\">    <\/p>\n<li class=\"nnbtc-key-takeaways__list-item\">\n        Malicious versions of the popular XRP developer library xrpl.js were uploaded<\/li>\n<p><\/span><span data-preserver-spaces=\"true\"> to npm, containing code that leaked private keys.<br \/>\n    <\/span><\/p>\n<p><span data-preserver-spaces=\"true\">    <\/p>\n<li class=\"nnbtc-key-takeaways__list-item\">\n        The rogue versions were not present on the <\/li>\n<p><\/span><span data-preserver-spaces=\"true\">library\u2019s<\/span><span data-preserver-spaces=\"true\"> official <\/span><span data-preserver-spaces=\"true\">GitHub,<\/span><span data-preserver-spaces=\"true\"> and were flagged by security firm Aikido on April 21.<br \/>\n    <\/span><\/p>\n<p><span data-preserver-spaces=\"true\">    <\/p>\n<li class=\"nnbtc-key-takeaways__list-item\">\n        The XRP Ledger Foundation responded quickly, removing the infected packages and releasing a clean update (v4.2.5).    <\/li>\n<p>    <\/span><\/p>\n<p><span data-preserver-spaces=\"true\">    <\/p>\n<li class=\"nnbtc-key-takeaways__list-item\">\n        Projects using compromised versions could have exposed users to wallet breaches; developers <\/li>\n<p><\/span><span data-preserver-spaces=\"true\">are urged<\/span><span data-preserver-spaces=\"true\"> to update and rotate keys.<br \/>\n    <\/span><\/p>\n<p><span data-preserver-spaces=\"true\">    <\/p>\n<li class=\"nnbtc-key-takeaways__list-item\">\n        The incident highlights major risks in crypto software supply chains, even as <\/li>\n<p><\/span><span data-preserver-spaces=\"true\">XRP\u2019s<\/span><span data-preserver-spaces=\"true\"> market price remained unaffected.<br \/>\n    <\/span><\/p>\n<p><span data-preserver-spaces=\"true\"><br \/>\n    <\/span><\/p>\n<p><span data-preserver-spaces=\"true\">    <\/span><\/p>\n<\/div>\n<p>    <\/span><\/p>\n<p>The post <a href=\"https:\/\/99bitcoins.com\/news\/crypto-stealing-code-found-in-xrp-toolkit-devs-urged-to-update\/\">Crypto-Stealing Code Found in XRP Toolkit, Devs Urged to Update<\/a> appeared first on <a href=\"https:\/\/99bitcoins.com\/\">99Bitcoins<\/a>.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Well, this one\u2019s a developer\u2019s worst nightmare. The XRP Ledger Foundation just had to clean up a major mess after discovering that a commonly used JavaScript library in the XRP ecosystem had been compromised. The library, called xrpl.js, was hiding a nasty little backdoor that could steal your private keys. The XRP Ledger exploit was [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-23574","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/23574","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=23574"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/23574\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=23574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=23574"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=23574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}