Security Flaw in XRP Ledger Toolkit Resolved After Developer Token Exploited
A critical security flaw within the XRP Ledger’s developer toolkit was discovered and quickly patched after a threat actor exploited a stolen access token from Node Package Manager (NPM), a platform where developers share reusable code. The vulnerability, which could have had devastating consequences, was flagged by security experts, including Charlie Eriksen, a researcher from Aikido Security, who first identified the issue.
According to Aikido Security, the attack was carried out by exploiting a developer’s NPM access token, though the exact method of theft and the identity of the attackers remain unclear. The flaw specifically affected certain versions of NPM that were used to build applications interacting with the XRP Ledger.
“The stolen NPM access token allowed the threat actor to inject harmful code into recent toolkit versions designed for building XRP Ledger-compatible apps,” Eriksen explained in a security update. “This vulnerability could have led to catastrophic consequences for the crypto ecosystem if left unchecked.”
The issue was confined to certain versions of NPM, with major XRP-related services like Xaman Wallet and XRPScan confirming they were not affected. Xaman Wallet issued a statement highlighting its commitment to security and in-house development, reassuring users that they were unaffected by the breach.
In a post on X, Xaman Wallet’s Robert Kiuru stated, “With today’s npm vulnerability, it’s a clear reminder about truly knowing what you’re using. At Xaman, our track record speaks for itself. We’ve been feature-complete, security-first from day one, building everything in-house. No shortcuts. This is what trust looks like.”
The flaw was linked to the “xrpl.js” JavaScript library, a core tool used for XRP Ledger interactions. This library is widely used by third-party apps and services, with over 140,000 weekly downloads, raising concerns about the potential for a massive supply chain attack on the broader cryptocurrency ecosystem. The vulnerability could theoretically allow attackers to steal private keys, putting users’ crypto wallets at risk.
At 20:53 GMT on April 21, Aikido Security’s system, Aikido Intel, flagged the appearance of five new versions of the “xrpl” package. Eriksen noted that these versions had been downloaded widely, which could have exposed countless applications to the risk of compromised security.
Following the discovery, the XRP Ledger Foundation moved swiftly to mitigate the issue. It released updated versions of the toolkit, deprecating the affected versions (v4.2.1-4.2.4 and v2.14.2). Developers were urged to upgrade to the secure v4.2.5 immediately.
The XRP Ledger Foundation clarified that the vulnerability was limited to the “xrpl.js” library and did not impact the core XRP Ledger codebase or its GitHub repository. They emphasized that only third-party applications that had installed the flawed versions during the short window of vulnerability were at risk.
In response to the incident, the price of XRP surged by 8.5% over the past 24 hours, reflecting a broader market rally. Despite the scare, the quick resolution and transparency from the XRP Ledger team helped restore confidence in the network’s security.
Developers using “xrpl.js” are strongly encouraged to upgrade immediately to v4.2.5 to ensure the integrity and safety of their applications and users.
