A critical supply chain attack has compromised Ripple’s official JavaScript library, xrpl.js, injecting malicious code to steal XRP wallet seeds and private keys. The attack, first reported by BleepingComputer1, targeted versions 2.14.2 and 4.2.1–4.2.4 of the NPM package, exfiltrating sensitive data to an attacker-controlled server (0x9c[.]xyz). This incident underscores persistent risks in open-source dependencies and cryptocurrency wallet security.
Attack Mechanism and Impact
The compromised versions included a malicious function, checkValidityOfSeed, designed to harvest wallet credentials. According to Aikido Security2, the function transmitted stolen data via HTTP POST requests with a user agent masquerading as ad traffic (“ad-referral”). The attacker leveraged a developer account (mukulljangid) linked to Ripple, likely through credential compromise. Approximately 452 downloads of the malicious packages were recorded before mitigation.
TechCrunch3 notes this attack follows a $112 million XRP theft from Ripple co-founder Chris Larsen’s personal wallets in January 2024, though no direct link has been confirmed. The incident mirrors previous supply chain attacks targeting Ethereum and Solana libraries, highlighting a broader trend of exploiting trust in widely used dependencies.
Technical Indicators and Mitigation
Key indicators of compromise (IoCs) include the domain 0x9c[.]xyz (registered shortly before the attack) and anomalous HTTP traffic containing wallet seeds. Ripple has since released a clean version ([email protected]) and removed the malicious packages. Users are advised to:
- Upgrade to the patched version immediately.
- Rotate keys and disable master keys if compromised.
- Audit dependencies for affected versions (
2.14.2,4.2.1–4.2.4).
Wallet Security Recommendations
Post-attack, non-custodial wallets like Atomic Wallet, Exodus, and Guarda4 are recommended for XRP storage. These wallets prioritize local key storage and encryption, reducing exposure to supply chain risks. The XRP Ledger documentation5 further outlines cryptographic key management best practices, including the use of hardware wallets for high-value accounts.
Relevance to Security Professionals
This incident highlights the need for robust dependency monitoring and supply chain risk management. Key takeaways include:
| Area | Action Item |
|---|---|
| Dependency Management | Implement automated tools to detect compromised packages (e.g., Snyk, DependencyCheck). |
| Wallet Security | Enforce multi-signature approvals for high-value transactions. |
| Incident Response | Monitor for IoCs like traffic to 0x9c[.]xyz or anomalous POST requests. |
For threat hunters, analyzing network logs for the specified user agent or domain can help identify compromised systems. Blue teams should prioritize reviewing CI/CD pipelines for unauthorized package modifications.
Conclusion
The xrpl.js attack exemplifies the escalating sophistication of supply chain threats in cryptocurrency ecosystems. Proactive measures—such as regular dependency audits and adopting non-custodial wallets—are critical to mitigating similar risks. Future attacks may increasingly target lesser-maintained libraries, necessitating broader community vigilance.
References
- “Ripple’s recommended XRP library xrpl.js hacked to steal wallets,” BleepingComputer, 2024.
- “XRP Supply Chain Attack: Official NPM Package Infected with Crypto-Stealing Backdoor,” Aikido Security, 2024.
- “Hackers steal $112 million of XRP Ripple cryptocurrency,” TechCrunch, 2024.
- “Top 3 Best XRP Wallets,” Atomic Wallet, 2024.
- “XRP Ledger Documentation: Cryptographic Keys,” Ripple, 2024.
