Offical XRP NPM package has been compromised and key stealing malware introduced
a year ago
- #supplychain-attack
- #cryptocurrency
- #cybersecurity
- Aikido Intel detected five new suspicious versions of the xrpl package, the official SDK for the XRP Ledger, with over 140,000 weekly downloads.
- The compromised package versions (4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2) contained a backdoor to steal cryptocurrency private keys and access wallets.
- Malicious code was found in src/index.ts, including a function 'checkValidityOfSeed' that sent private keys to a suspicious domain (0x9c[.]xyz).
- The attacker evolved their approach, initially modifying built JavaScript files and later inserting malicious code into TypeScript files.
- Aikido Intel, using LLMs, identified the attack by monitoring public package managers like NPM for malicious code.
- Indicators of compromise include specific package versions and the domain 0x9c[.]xyz.