|
| 1 | +--- |
| 2 | +category: 2025 |
| 3 | +date: 2025-04-25 |
| 4 | +seo: |
| 5 | + title: Malicious Supply Chain Compromise in xrpl.js npm Package |
| 6 | + description: This disclosure report contains technical details of vulnerability of the XRP Ledger Javascript library package hosted at npmjs.com. |
| 7 | +labels: |
| 8 | + - Advisories |
| 9 | +markdown: |
| 10 | + editPage: |
| 11 | + hide: true |
| 12 | +--- |
| 13 | +# Malicious Supply Chain Compromise in xrpl.js npm Package |
| 14 | + |
| 15 | +This disclosure report contains technical details of the vulnerability of the XRP Ledger Javascript library package (`xrpl.js`) hosted at [npmjs.com](http://npmjs.com). |
| 16 | + |
| 17 | +**Date Reported:** April 22, 2025 |
| 18 | + |
| 19 | +**Affected Version(s):** xrpl.js (xrpl in npmjs.com) versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 |
| 20 | + |
| 21 | +## Summary of Vulnerability |
| 22 | + |
| 23 | +On April 21st, 2025, several versions of xrpl.js were published with malicious code injected to surreptitiously capture secret key material and exfiltrate that material to an unknown attacker’s website. |
| 24 | + |
| 25 | +This attack was discovered and reported in the early morning hours of April 22nd, 2025 UTC, and the incident was resolved by mid-afternoon on the same day UTC time when new versions of xrpl.js were published and all malicious package versions were deprecated in npmjs.com. |
| 26 | + |
| 27 | + |
| 28 | +## Impact |
| 29 | + |
| 30 | +This vulnerability does **not** affect the XRP Ledger network or codebase, but is instead limited to the npm package called `xrpl`, which is the package name for the **xrpl.js** (a JavaScript library for interacting with the XRP Ledger). |
| 31 | + |
| 32 | +**Note:** No GitHub repositories were compromised at any time as part of this incident. Instead, the attacker was able to publish malicious code directly into the npm registry system using compromised npm credentials. In particular, npm versions `2.14.2` and `4.2.1` - `4.2.4` of xrpl.js were compromised with malicious code designed to exfiltrate private key material. |
| 33 | + |
| 34 | +As of today, no downstream effects have been reported. Those that have installed the infected versions should assume their wallets are compromised and follow the [recommendations for key rotation](https://github.com/XRPLF/xrpl.js/security/advisories/GHSA-33qr-m49q-rxfx). |
| 35 | + |
| 36 | + |
| 37 | +## Technical Details |
| 38 | + |
| 39 | +### Discovery |
| 40 | + |
| 41 | +At 9:14 AM UTC on 22 Apr 2025, Ripple teams were alerted by a security researcher from Aikido Security about a breach in the `xrpl` package in the npmjs.com repository. The malicious package contained a function called `checkValidityOfSeed`, which triggers a call to the attacker’s domain to surreptitiously steal information used to assemble an XRPL private key. |
| 42 | + |
| 43 | +Ripple and the XRPL Foundation began investigating the incident, and learned from the Aikido team that versions `4.2.1` through `4.2.4` (as well as `2.14.2`) were impacted. As part of this discovery process, Ripple engineering teams verified that malicious code was initially implemented within the functions `generate(algorithm = DEFAULT algorithm)` and `fromRFC1751Mnemonic(mnemonic, opts)`. This code was published in all cases directly into npm (bypassing all PR approval processes) using the same compromised user account. |
| 44 | + |
| 45 | +In tandem, by noon UTC this incident became publicly known online, for example: [this](https://x.com/AikidoSecurity/status/1914610391218299190), [this](https://x.com/JoelKatz/status/1914698364995944501), [this blog](https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor), and [this reddit post](https://www.reddit.com/r/cybersecurity/comments/1k547oz/offical_xrp_npm_package_has_been_compromised_and/?rdt=57277). Later in the morning, the XRP Ledger Foundation issued a statement on X [here](https://x.com/XRPLF/status/1914659876833284399), notifying applications and letting the community know that teams were working on a fix. |
| 46 | + |
| 47 | +### Root Cause |
| 48 | + |
| 49 | +On 21 Apr 2025 at 20:39 UTC, a Ripple employee who helps maintain the affected package was phished for their credentials. This provided the threat actor access to the npm package repository for the `xrpl` library, and this access was abused to modify the javascript package code such that, when executed by downstream dependent software, XRPL private key material would be sent to the threat actor’s server. |
| 50 | + |
| 51 | +In total, five **malicious** package versions were published for `xrpl`: |
| 52 | + |
| 53 | +1. 4.2.1 - Published at 2025-04-21T20:46:24.710Z |
| 54 | +2. 4.2.2 - Published at 2025-04-21T20:55:55.822Z |
| 55 | +3. 4.2.3 - Published at 2025-04-21T21:32:24.445Z |
| 56 | +4. 2.14.2 - Published at 2025-04-21T21:37:09.418Z |
| 57 | +5. 4.2.4 - Published at 2025-04-21T21:49:35.179Z |
| 58 | + |
| 59 | +A joint investigation team inside of Ripple confirmed that the phishing attack specifically targeted npm and no other platforms were affected. |
| 60 | + |
| 61 | +### Remediation |
| 62 | + |
| 63 | +* Affected `xrpl` versions in npm have been identified and deprecated. We have reached out to npm for assistance with unpublishing them entirely. |
| 64 | +* New versions of the affected packages have been published. See [here](). |
| 65 | +* Improved User Security |
| 66 | + * The compromised user has been removed as a maintainer of all XRPL-related npm packages; the root cause of the user compromise has been identified and resolved. |
| 67 | + * Ripple and the XRPLF have enabled 2FA for all users in npmjs.com. |
| 68 | +* XRPLF has been leading communications with the XRPL developer community via several different channels throughout the incident, with support from Ripple. |
| 69 | +* Ripple is working with `xrpl` package dependents to ensure they’re not running impacted versions of their software released on npm during the window of compromise. |
| 70 | +* The malicious website used by the attacker has been reported to the domain registrar. |
| 71 | +* CVE Requested via [Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2](https://github.com/advisories/GHSA-33qr-m49q-rxfx); accepted as CVE-2025-32965 with a score of 9.3; CVE Published to [NIST Database](https://nvd.nist.gov/vuln/detail/CVE-2025-32965). |
| 72 | +* Advisory notifications sent to [xrpl-announce](https://groups.google.com/g/xrpl-announce/c/VpOgCk4SxNE). |
| 73 | + |
| 74 | +## Strategic Mitigation Initiatives |
| 75 | + |
| 76 | +Ripple and XRPLF engineering teams are implementing a series of strategic prevention measures as part of an ongoing commitment to software supply chain security. These include strengthening the integrity of release processes through automation and verification enhancements, as well as expanding monitoring capabilities to detect anomalies in publishing workflows. The teams are also reviewing collaborator/publish access to ensure redundancy and remove single points of failure. These efforts will be rolled out in phases and are designed to proactively reduce risk and enhance trust in the open-source ecosystem. |
| 77 | + |
| 78 | +## Steps to Reproduce |
| 79 | + |
| 80 | +This [explainer video](https://x.com/advocatemack/status/1914697731710374013) by [@advocatemack](https://x.com/advocatemack) provides an excellent summary of how the attacker executed this exploit. |
| 81 | + |
| 82 | +## Fixes / Patches Available |
| 83 | + |
| 84 | +The fix for this issue is available in the `xrpl` package on [npmjs.com](http://npmjs.com), versions `4.2.5` and `2.14.3`. All projects are advised to avoid versions `4.2.1` through `4.2.4`, and also avoid `2.14.2`. |
| 85 | + |
| 86 | + |
| 87 | +## Acknowledgements |
| 88 | + |
| 89 | +Thanks to Aikido Security and [Charlie Eriksen](https://x.com/CharlieEriksen) for discovering this compromise, and to the XRPLF for jumping into action to investigate and mitigate this vulnerability. |
| 90 | + |
| 91 | +And, as always, thanks to the global community of validators, developers, and contributors who keep the XRP Ledger running and help keep the network safe and secure. |
| 92 | + |
| 93 | + |
| 94 | +## References |
| 95 | + |
| 96 | +* xrpl.js Github Repository: [https://github.com/xrplf/xrpl.js](https://github.com/xrplf/xrpl.js) |
| 97 | +* xrpl.js npm Package: [https://www.npmjs.com/package/xrpl]https://www.npmjs.com/package/xrpl() |
| 98 | +* Attack Explainer Video: [https://x.com/advocatemack/status/1914697731710374013](https://x.com/advocatemack/status/1914697731710374013) |
| 99 | + |
| 100 | + |
| 101 | +## Contact |
| 102 | + |
| 103 | +For more information or to report further issues, please contact the team at bugs@xrpl.org. |
| 104 | + |
| 105 | +## Incident Response Timeline |
| 106 | + |
| 107 | +| Key Actions | Timestamp | Description | |
| 108 | +|:------------------|:------------|:---------------------------------------------------------| |
| 109 | +| Initial Discovery | April 22nd, 2025 08:14 UTC | Ripple alerted by an external security researcher about a breach in the `xrpl` package on npm. | |
| 110 | +| Mitigation Actions Taken | April 22nd, 2025 08:14 - 12:34 UTC | Affected npm packages were deprecated; new packages uploaded to prevent the compromise in new dependent software releases. | |
| 111 | +| Library Resolution Completed | April 22nd, 2025 12:34 UTC | The npm package vulnerability has been mitigated. | |
| 112 | +| Additional Mitigation Actions | April 22nd, 2025 | Further remediation actions described above taken (e.g., CVE publishing, domain reporting, etc). | |
0 commit comments