xrpl.js Private Key Exfiltration Vulnerability

A supply chain attack has been identified in the official xrpl.js NPM package, which is used to interact with the XRP Ledger. Malicious code was introduced in versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. This code is designed to exfiltrate private keys from users, potentially compromising their cryptocurrency wallets. The attack was executed by inserting a backdoor that activated upon the creation of a Wallet object, stealing private keys as soon as they were generated or imported.

Impact

The vulnerability allows for the unauthorized exfiltration of private keys, which can lead to the theft of cryptocurrency from affected wallets.

Reproduction

The vulnerability can be reproduced by installing one of the compromised versions of the xrpl.js package, either directly or as a dependency. Once the package is installed, the malicious code will automatically execute when a Wallet object is created, sending the private key to the attacker's server.

Remediation

Users should immediately upgrade to xrpl.js versions 4.2.5 or 2.14.3, and rotate any private keys or secrets used with affected systems. To disable a potentially compromised master key, follow the instructions available on the XRP Ledger's official website.