XRP Foundation Issues Statement on Vulnerability That Could Lead to Users' Assets Being Stolen

A serious software vulnerability has been discovered in the recent update of the JavaScript development library for XRP Ledger, causing alarm in the cryptocurrency developer community. The XRP Ledger Foundation has revealed that a vulnerability has been found in several versions of the JavaScript xrpl package, a widely used software development toolkit for interacting with the XRP Ledger. According to this organization, the security vulnerability was discovered by Charlie Eriksen, a malware researcher at Aikido Security, who described the issue as a "potentially devastating" supply chain attack. Eriksen warns: "This security vulnerability could allow malicious actors to steal users' private keys and gain unauthorized access to wallets," but it is still unclear whether any users have been directly affected. The affected versions include v4.2.1 to v4.2.4 and v2.14.2. The XRP Ledger technical team has released v4.2.5, disabling the compromised packages. Users and developers relying on the affected versions are advised to update immediately. The fund stated the following in a subsequent statement on social media: "To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does not affect the XRP Ledger codebase or the GitHub repository." Malware seems to have been introduced through Node Package Manager (NPM), a widely used platform for sharing JavaScript packages. Projects like Xaman Wallet and XRPScan have confirmed that their services are likely unaffected as they do not implement the compromised versions. The XRP Ledger Foundation announced that a full report on the incident will be released as soon as more information about the exploitation of the backdoor becomes available.