- A hacker infected official developer software for Ripple’s XRP Ledger blockchain.
- The malicious software versions have since been replaced with clean ones.
A hacker compromised a key piece of software used by developers of Ripple’s XRP Ledger blockchain on Monday, putting thousands of users’ funds at risk, according to Aikido, a crypto security firm.
Aikido discovered that a hacker had infected the official XRP Ledger node package manager with malicious code at 8:53pm UK time on Monday.
The software is used by “hundreds of thousands of applications and websites making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem,” Charlie Eriksen, an Aikido security researcher, said in a report.
New version
According to the XRPL Github, the node package manager was downloaded over 140,000 times last week.
The software was updated to a new version designed to override the compromised versions at around 2pm UK time on Tuesday.
XRP Ledger — or XRPL — is Ripple’s answer to rival public blockchains like Ethereum and Solana. It uses some of the same software as Ethereum and can support smart contracts, unlike the main Ripple blockchain.
DeFi apps on XRPL hold $80 million worth of user deposits.
It’s not clear how the hacker was able to replace XRPL software with malicious versions. It’s also unclear how many users downloaded or were affected by the malicious software while it was still live.
Ripple did not immediately respond to a request for comment.
The incident raises concerns over the level of security at Ripple and XRP Ledger.
In January 2024, Ripple co-founder Chris Larsen lost $112 million worth of XRP tokens in a theft which has since been tied to a compromise at password management software company LastPass.
After XRP’s price soared some 294% over the past year, the stolen tokens are now worth $449 million.
Private key theft
The compromise started when a user called mukulljangid released five new versions of the XRPL node package manager, without a matching release on the XRPL Github, something Eriksen said was very suspicious.
Over several version updates, the hacker implanted code into the XRPL software designed to steal the password-like private keys that grant access to crypto wallets.
If a hacker were to gain knowledge of these keys, they could use them to access crypto wallets and transfer out funds without their owners’ permission.
The multiple version updates show that the attacker was “actively working on the attack, trying different ways to insert the backdoor while remaining as hidden as possible,” Eriksen said.
In cybersecurity, a backdoor is a secret, undocumented way of bypassing normal security measures to gain unauthorised access to a system or network.
Eriksen said the malware was detected by Aikido’s public threat feed that uses large language models to monitor and identify if malicious code is added to new or existing software.
Last year, private key compromises accounted for the largest share of stolen crypto at 43.8%, according to a report from crypto security firm Chainalysis.
Tim Craig is Inside Solana’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
