Serious Flaw in XRP Ledger SDK Exposes Private Keys; Foundation Fixes with New Release

• XRP Ledger SDK Had Malicious Code Released
• Update to xrpl.js 4.2.5 fixes serious flaw
• Foundation recommends urgent review of facilities

A critical vulnerability has been discovery in the xrpl.js development kit, a JavaScript library used to interact with the XRP Ledger. The flaw affected versions 4.2.1 to 4.2.4, allowing hackers to gain unauthorized access to private keys of cryptocurrency-linked wallets.

The flaw was caused by malicious code inserted into fake versions of the package in the NPM manager. The manipulation allowed sensitive data to be automatically sent to an external domain. Early detection of the suspicious activity prevented further damage, but thousands of projects and developers using this library were exposed.

The XRP Ledger Foundation confirmed the issue and quickly released version 4.2.5 of the SDK, which removes the backdoor and ensures the security of applications. In addition, it recommended the immediate discontinuation of the compromised versions, reinforcing that the error did not affect the network's main code or the official GitHub repository.

Impacted developers were advised to either update their SDK to the safe version as soon as possible or migrate to an older stable version (2.14.3). Teams that kept versions locked in pnpm-lock.yaml were able to avoid the automatic update to the malicious versions.

Projects such as Xaman Wallet, XRPScan, Bitfrost and Gen3 Games reported that they were not affected by the flaw, either because they use their own libraries or uncompromised versions of the SDK.

This incident reinforces the importance of stricter security practices, especially in the software supply chain associated with the cryptocurrency ecosystem, which has become a constant target of attacks.