A malicious code has been discovered in the npm package xrpl, which has been revealed to send master clouds from cryptocurns and closed cryptocurrency keys to an external server. The XRPL package is considered an officially recommended library for JavaScript- and Typescript applications operating through a browser or Node.js. The decentralized payment network XRP Ledger (Ripple), which develops cryptocurrency XRP, is one of the largest cryptocurrencies in terms of capitalization, only behind BTC, ETH, and USDT. The XRPL.js library, which has had 165 thousand downloads in the week leading up to the incident, is used as a dependency in various NPM packets and is integral to many cryptocurrency applications and sites.
The malicious code was identified in versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of XRPL.js, but has since been removed in versions 4.2.5 and 2.14.3. These malicious versions were not published on GitHub and were only found in the NPM repository. The packages containing the harmful code were added to the repository on April 21 at 23:53 (MSK) and were swiftly removed by the repository administration on April 22 at 16:00 (MSK). While details of the incident analysis from the XRP Ledger project have not been released, it is believed that the attack was carried out through the compromised record of a team member using social engineering and phishing tactics.