彼得·托德（Peter Todd

彼得·托德（Peter Todd）是加拿大比特幣開發人員曾經在HBO紀錄片中作為Nakamoto的候選人的候選人，重新激發了對Ripple（XRP）的批評

Canadian Bitcoin developer Peter Todd has slammed Ripple (XRP) after a serious vulnerability was found in a JavaScript library used by the XRP Ledger (XRPL).

加拿大比特幣開發人員彼得·托德（Peter Todd）在XRP Ledger（XRPL）使用的JavaScript庫中發現了嚴重的漏洞後猛烈抨擊了波紋（XRP）。

The vulnerability was first flagged by Aikido Security and later acknowledged by Ripple CTO David Schwartz, sparking concern among members of the XRP community.

脆弱性首先是由Aikido Security標記的，後來由Ripple CTO David Schwartz承認，這引起了XRP社區成員的關注。

The issue, which involved malicious code being injected into Ripple’s official Node Package Manager (NPM) library, could have allowed attackers to steal private keys and drain XRP wallets.

該問題涉及將惡意代碼注射到Ripple的官方節點軟件包經理（NPM）庫中，可以允許攻擊者竊取私鑰和排水XRP錢包。

However, the breach was quickly contained and patched by Ripple.

但是，違規行為很快被波紋包含並修補。

But Peter Todd, who was once featured in an HBO documentary as a possible candidate for Satoshi Nakamoto, took the opportunity to highlight a warning he had already shared a decade ago.

但是彼得·托德（Peter Todd）曾在HBO紀錄片中曾擔任Nakamoto的候選人，他藉此機會強調了他十年前已經分享的警告。

“10 years after I pointed out the risk of a Ripple backdoor due to Ripple not signing its software with PGP … there is a Ripple backdoor due to the NPM breach,” he wrote.

他寫道：“在我指出由於連鎖反應沒有與PGP簽署其軟件的10年後，由於NPM違規而出現了漣漪後門。”

In a 2013 article, Todd had criticized Ripple for failing to verify software releases with PGP signatures or providing any method of authenticating downloaded software.

在2013年的一篇文章中，托德（Todd）批評了Ripple未能通過PGP簽名驗證軟件發布或提供任何身份驗證下載軟件的方法。

He warned at the time that such oversights could leave the door open for malicious actors to inject backdoors.

當時他警告說，這樣的疏忽可能會讓惡意演員打開大門注入後門。

“It’s common practice for software to be signed with PGP to allow users to independently verify that the software they download has not been tampered with,” explained Todd.

Todd解釋說：“與PGP簽署軟件是普遍的做法，以允許用戶獨立驗證他們下載的軟件尚未被篡改。”

“However, as far as I can tell, neither Ripple nor any other company that makes software for the XRP cryptocurrency signs its software releases with PGP or provides any other method for users to securely authenticate the software they download.”

“但是，據我所知，為XRP加密貨幣製作軟件的Ripple和任何其他公司都不會使用PGP簽署其軟件，也沒有提供任何其他方法，供用戶安全地驗證其下載的軟件。”

This latest security lapse has sparked discussion among members of the crypto community on open-source supply chain security—a topic that has been a recurring point of concern.

最新的安全失誤引發了加密社區成員在開源供應鏈安全方面的討論，這是一個經常關注的話題。