Aikido Security, a cybersecurity firm that researches code vulnerabilities in cryptocurrency networks, announced on April 21 that XRPL contains a backdoor that sends private keys to virtual attackers. The vulnerability is found specifically in the XRPL package called NPM, a library for application developers.
NPM's XRPL package is a JavaScript/TypeScript library designed to interact with the XRP Ledger (XRPL) network. According to the developer library's website, NPM is the "recommended choice" for integrating applications with XRPL, especially solutions like payment gateways, decentralized exchanges, account setups, multi-signatures, and more.
Currently, NPM is used to perform functions as diverse as key management, fund, and test credential creation, sending transactions to the XRP ledger, and more on the XRPL.
Consequently, the vulnerability discovered by Aikido Security could be widespread across many XRPL applications , posing a systemic risk.
This is especially true because, according to the security firm, NPM is "the official SDK (software development kit) for the XRP Ledger, with over 140,000 weekly downloads." This weekly download figure is confirmed by NPM's own website.
On April 21st at 20:53 GMT, our system, Aikido Intel, alerted us to five new versions of the XRPL package. This is the official SDK for the XRP Ledger, with over 140,000 weekly downloads. We quickly confirmed that the official XPRL (Ripple) NPM package was compromised by sophisticated attackers who installed a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets. This package is used by hundreds of thousands of applications and websites, making it a potentially catastrophic attack on the cryptocurrency ecosystem's supply chain.
Aikido Security, a cybersecurity firm.
Aikido Security notes that the affected NPM versions range from 4.2.1 to 4.2.4, and recommends not updating your development package if you are using an older version of the library.
According to the firm, a user named "mukulljangid" has published five new versions of the NPM library, but these versions do not match the official releases listed on the Github repository, where the latest version is 4.2.0. For Aikido, "the fact that these packages appeared without a corresponding version on Github is highly suspicious."
Likewise, the security firm detected "strange" programming lines in the new packages using its AI-powered code monitoring solution called Aikido Intel . Specifically, the opcodes checkValidityOfSeed and the 0x9c[.]xyz domain.
Everything seems normal until the end. What is this checkValidityOfSeed function? And why does it call a random domain called 0x9c[.]xyz? Let's get to it!
Aikido Security, a cybersecurity firm.
checkValidityOfSeed is one of the lines of code considered unusual by Aikido Security. Source: Aikido Vulnerability Report.
The domain mentioned is suspiciously recent, according to Aikido, who additionally discovered that a code function written as “public constructor (“ would be stealing keys from private wallets on XRPL.
A subsequent investigation by Aikido into the user apparently updating the library revealed the following: “The packages were deployed by the user mukulljangid. A Google search for that username reveals a LinkedIn profile of someone who appears to be a legitimate Ripple employee since July 2021. This therefore suggests that this developer’s credentials were stolen and used to publish these new malicious packages.”
The credentials of internal employees of organizations and companies are a classic attack vector for computer hackers. A report released by Bybit's CEO indicated that the North Korean Lazarus group may have accessed the AWS S3 account, an AWS service, using the credentials of an employee involved. This hack resulted in losses for the exchange of up to $1.5 billion.
