An unsanctioned hacker managed to compromise the official XRPL node package manager. Then they infected it with malicious code designed to steal private keys. This attack, first illustrated by Aikido security researcher Charlie Eriksen, could have allowed thousands of crypto wallets to be hacked. The situation underscores the growing threats posed by software supply chain attacks to the wider crypto space.

The XRP Ledger was initially created in 2011 by many of the same individuals who went on to start Ripple. This open-source, decentralized platform runs on the collective efforts of a community of enterprises and developers, with Ripple seriously engaged in the platform’s continued development. The compromised node package manager, a critical component for applications interacting with the XRPL, was downloaded over 140,000 times in the past week, amplifying the potential impact of the breach.

Discovery of the Malicious Code

The story of how the compromise started, and five subsequent releases of a compromised XRP Ledger node package manager. What made these releases particularly suspect right away though, was their complete absence of corresponding updates on the official XRP Ledger Github repository. That difference was the biggest red flag that something was wrong.

Aikido’s open threat feed continuously monitors and detects malicious code in software updates through the use of large language models. Recently, it raised the alarm about some questionable activity. Charlie Eriksen, upon further investigation, confirmed the presence of malicious code designed to pilfer password-like private keys, which are essential for accessing and controlling crypto wallets.

"hundreds of thousands of applications and websites making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem" - Charlie Eriksen

Implications for XRP Ledger Users

The harmful code was arguably made to rob private keys. These keys, similar to passwords, allow someone access to a cryptocurrency wallet. If the attack were to be successful, the attacker would be able to seize control over users’ funds stored inside those wallets. This kind of attack poses significant risks for decentralized finance (DeFi) applications deployed on the XRP Ledger. These applications jointly hold over $80 million in user deposits.

Eriksen noted how the attacker was able to stay active through multiple minor version updates. This shows a continuing trend to penetrate the XRP Ledger ecosystem with FUD. Even more alarming, the malicious code propagated via the official node package manager, adding to the severity of the threat. Developers and users are generally more trusting of packages from official accounts, which added a significant additional layer of risk.

Remediation and Future Security Measures

After finding the malware, Aikido immediately disclosed the breach. The investigation into this attack is ongoing. This incident serves as a reminder to the importance of comprehensive security practices across the entire open-source software supply chain. Developers and users of the XRP Ledger node package manager are encouraged to take precautionary steps to check their systems for indicators of compromise. So it’s important to make sure that they are using authenticated, trusted, and data trusted versions of the software.

XRP Ledger GithubDocumentation for the node package manager. This allows anyone to check the integrity of the package. The incident serves as a stark reminder of the need for continuous vigilance and proactive security measures to protect against evolving threats in the cryptocurrency space.