XRP Community Issued Critical Alert on New Threat, What Happened?

The XRP community has received a critical security alert following a recent tweet by security platform Aikido Security.

In a tweet, Aikido Security said it had discovered a backdoor in the official XRPL NPM package, a popular library for integrating a JavaScript/TypeScript app with the XRP Ledger when advanced functionality is required. This back door steals private keys and sends them to attackers, prompting an urgent alert to all XRP developers and projects.

According to Aikido Security, versions 4.2.1 to 4.2.4 of the XRPL NPM package were compromised. It listed the compromised versions as 4.2.4, 2.14.2, 4.2.3, 4.2.2 and 4.2.1.

Thomas Silkjaer, Head of Analytics and Compliance at InFTF, retweeted Aikido Security’s post and issued a warning: “Be aware. Make sure your project is not using the latest NPM version, as it will compromise all accounts created with the library.”

What’s going on?

Vet, an XRPL dune validator, echoed a similar warning: “XRP Ledger Devs and Projects—if you use XRPL JS library, don’t update or use any version 4.2.1 or higher. It’s compromised—any project utilizing the newest version of XRPL JS is putting users and funds at risk. Please let every project and developer know about this.”

Infrastructure provider Alloy Network tweeted an urgent alert while sharing Aikido Security’s warning: “This is verified. The latest version of the npm package is compromised. Roll back if you’re on the latest. Immediately.”

Denis Angell, a software engineer at XRPL Labs and Xahau, stated that the current stable version of xrpl.js is 4.2.0.

Xaman Builder, XRPL Labs, stated that “the compromised xrpl.js NPM package does not affect Xaman Wallet. Xaman uses in-house infrastructure and libraries developed by XRPL Labs. We do not rely on third-party libraries like xrpl.js to handle private keys or transactions. Xaman users are not affected.”