- A malicious actor used a committed Ripple Development account to publish Commitments to NPM
- The commitments would grant access to people’s cryptographic wallets.
- They were downloaded about 450 times before being shot down
A JavaScript library recommended by an important cryptocurrency company has been kidnapped, and users now run the risk of losing access to their cryptographic wallets, as well as the funds stored inside.
The researchers warned that Omeone managed to enter an NPM account that belongs to a developer associated with Ripple.
After breaking into the account, the threat actor modified the JavaScript NPM library called ‘xrpl.js. ”Versions 2.14.2, 4.2.1, 4.2.2, 4.2.3 and 4.2.4 of the XRPL NPM package were modified and then published to NPM. The XRPL.J library is used to interact with the XRP XRP From JavaScript, the transfer library was held to the transfer of interactive interactive interaction XRP (XRPL) of Javascations, enter allications, enter the interactions, entry of interaction of interaction XRP (XRPL).
Github not affected
Ripple is a cryptocurrency company that built XRP, currently the fourth largest cryptocurrency. It is designed for cross -border payments and foreign exchange transfers, mainly for financial institutions. At the time of publication, XRP has a market capitalization of $ 132.34 billion and a volume of daily transactions of $ 5 billion.
Before being shot down, malicious updates accumulated 452 downloads. The latest version shown now is 4.2.5 and this is clean. Users are recommended to update immediately. Usually, the library has more than 100,000 downloads per week.
Malicious confirmations are not found in Github’s repository, which should mean that the attack occurred during the NPM publication process.
Meanwhile, the Ledger XRP Foundation led to X to clarify that the Ledger XRP code base and Github’s repository were not affected:
“To clarify: this vulnerability is found in XRPL.JS, a JavaScript library to interact with the XRP Ledger. It does not affect the Ledger XRP code base or the Github repository.
The projects of Xaman Wallet, Xrpscan, First Ledger and Gen3 Games were not affected.
Through Bleepingcomputer
