- A hacker infected official developer software for the XRP Ledger blockchain.
- The malicious software versions have since been replaced with clean ones.
A hacker compromised a key piece of software used by developers of XRP Ledger blockchain on Monday, putting thousands of users’ funds at risk, according to Aikido, a crypto security firm.
Aikido discovered that a hacker had infected the official XRP Ledger node package manager with malicious code at 8:53pm UK time on Monday.
The software is used by “hundreds of thousands of applications and websites making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem,” Charlie Eriksen, an Aikido security researcher, said in a report.
New version
According to the XRPL Github, the node package manager was downloaded over 140,000 times last week.
The software was updated to a new version designed to override the compromised versions at around 2pm UK time on Tuesday.
The same devs who went on to found Ripple started developing XRP Ledger, or XRPL, in 2011. XRP grew out of the blockchain project and Ripple continues to contribute to XRPL, which is decentralised and led by a community of businesses and developers.
XRPL uses some of the same software as Ethereum and can support smart contracts, unlike the main Ripple blockchain.
DeFi apps on XRPL hold $80 million worth of user deposits.
It’s not clear how the hacker was able to replace XRPL software with malicious versions. It’s also unclear how many users downloaded or were affected by the malicious software while it was still live.
A spokesperson for Ripple directed DL News to X posts from the XRP Ledger Foundation, a non-profit that furthers activity and development on the XRPL blockchain.
In the posts, the XRP Ledger Foundation confirmed the compromise did not affect the XRP Ledger codebase or Github repository, and that the malicious versions of the software had been deprecated.
The incident raises concerns over the level of security at XRP Ledger.
In January 2024, Ripple co-founder Chris Larsen lost $112 million worth of XRP tokens in a theft which has since been tied to a compromise at password management software company LastPass.
After XRP’s price soared some 294% over the past year, the stolen tokens are now worth $449 million.
Private key theft
The compromise started when a user called mukulljangid released five new versions of the XRPL node package manager, without a matching release on the XRPL Github, something Eriksen said was very suspicious.
Over several version updates, the hacker implanted code into the XRPL software designed to steal the password-like private keys that grant access to crypto wallets.
If a hacker were to gain knowledge of these keys, they could use them to access crypto wallets and transfer out funds without their owners’ permission.
The multiple version updates show that the attacker was “actively working on the attack, trying different ways to insert the backdoor while remaining as hidden as possible,” Eriksen said.
In cybersecurity, a backdoor is a secret, undocumented way of bypassing normal security measures to gain unauthorised access to a system or network.
Eriksen said the malware was detected by Aikido’s public threat feed that uses large language models to monitor and identify if malicious code is added to new or existing software.
Last year, private key compromises accounted for the largest share of stolen crypto at 43.8%, according to a report from crypto security firm Chainalysis.
Updated on April 23: The headline and text were changed to address the impression Ripple owned XRP Ledger. Ripple is a contributor to the blockchain.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.