Backdoor Discovered in xrpl.js Library Poses Security Risk
A security vulnerability has been identified in the XRP Ledger (XRPL) community, specifically within the xrpl.js library. The cybersecurity firm Aikido Security reported a backdoor in versions 4.2.1 to 4.2.4, which could lead to stolen private keys and lost funds.
Key Points
- The backdoor allows attackers to secretly send private keys from users' wallets.
- Aikido Security first announced this on April 22, including a screenshot of the malicious code.
- Developers using affected versions are advised to downgrade immediately; those on earlier versions should not upgrade.
- The core XRPL remains secure, but applications relying on the compromised library may be at risk.
- XRPScan confirmed it is safe, using an older version without the backdoor.
- Xaman Wallet also reported that its infrastructure does not rely on the vulnerable library.
This incident highlights the importance of reviewing third-party tools in crypto development. Recent issues have prompted increased security measures across various projects.