XRP Ledger面臨涉及Xrpl.js JavaScript庫的重大安全漏洞

最近，XRP面臨著涉及XRP Ledger的JavaScript庫之一的重大安全漏洞。 ripple npm javaScript庫名為xrpl.js被妥協

Recently, a major cryptocurrency project was hit by a nasty case of code corruption, affecting a key JavaScript library used by many to connect with the blockchain.

最近，一個重大的加密貨幣項目受到了一個令人討厭的代碼腐敗案件的打擊，影響了許多人用於與區塊鏈連接的關鍵JavaScript庫。

This is what happened:

這就是發生的事情：

One of the npm JavaScript libraries used by Ripple was compromised in a software supply chain attack. The issue was flagged by Aikido Security and later confirmed by Ripple CTO David Schwartz.

Ripple使用的NPM JavaScript庫之一在軟件供應鏈攻擊中遭到妥協。該問題由Aikido Security標記，後來由Ripple CTO David Schwartz確認。

The issue affects specific versions of the Node Package Manager (NPM) library, but major XRP services like Xaman Wallet and XRPScan were not impacted.

該問題影響了節點軟件包管理器（NPM）庫的特定版本，但是XAMAN WALLET和XRPSCAN等主要XRP服務沒有影響。

It was discovered that versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 of the Ripple npm JavaScript library, named xrpl.js, were compromised in a software supply chain attack.

已經發現，在軟件供應鏈攻擊中妥協了版本4.2.1、4.2.2、4.2.3、4.2.4和2.14.2，名為Xrpl.js的Ripple NPM JavaScript庫，名為Xrpl.js。

The vulnerability was patched in newer versions 4.2.5 and 2.14.3.

該漏洞是在較新版本的4.2.5和2.14.3中修補的。

The incident began when a user named "mukulljangid" started injecting malicious code into the xrpl.js package from April 21, 2025.

該事件始於2025年4月21日從Xrpl.js軟件包中註入“ MukullJangid”的用戶。

Later, the attacker introduced a new function to steal private keys and send them to an external domain. It is assumed that the attacker gained access through a compromised Ripple employee’s npm account.

後來，攻擊者引入了一個新功能，以竊取私鑰並將其發送到外部域。假定攻擊者通過受損的波紋員工的NPM帳戶獲得了訪問權限。

Moreover, the attacker quickly deployed multiple versions to avoid detection, but there is no sign of a backdoor in the GitHub repository.

此外，攻擊者迅速部署了多個版本以避免檢測，但是GitHub存儲庫中沒有後門的跡象。

The XRP Ledger foundation also issued a statement, confirming that the compromised versions of xrpl.js have been removed. They advised developers to use versions 4.2.5 or 2.14.3. A full report will follow.

XRP Ledger Foundation還發表了一份聲明，確認已刪除了Xrpl.js的折衷版本。他們建議開發人員使用版本4.2.5或2.14.3。完整的報告將隨後。

This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.

此漏洞在Xrpl.js中，這是一個用於與XRP Ledger交互的JavaScript庫。它不會影響XRP Ledger代碼庫或GitHub存儲庫本身。使用Xrpl.js的項目應立即升級到v4.2.5。

We are aware that specific versions of the Node Package Manager (NPM) library are affected, but major XRP services like Xaman Wallet and XRPScan are not impacted.

我們知道，節點軟件包管理器（NPM）庫的特定版本受到影響，但是XAMAN WALLET和XRPSCAN等主要XRP服務沒有影響。

This incident has once again raised concerns over software security, especially in the cryptocurrency sector where customer support and large sums of money are at stake.

該事件再次引起了人們對軟件安全性的擔憂，尤其是在加密貨幣領域，客戶支持和大量資金受到威脅。