彼得·托德（Peter Todd

彼得·托德（Peter Todd）是加拿大比特币开发人员曾经在HBO纪录片中作为Nakamoto的候选人的候选人，重新激发了对Ripple（XRP）的批评

Canadian Bitcoin developer Peter Todd has slammed Ripple (XRP) after a serious vulnerability was found in a JavaScript library used by the XRP Ledger (XRPL).

加拿大比特币开发人员彼得·托德（Peter Todd）在XRP Ledger（XRPL）使用的JavaScript库中发现了严重的漏洞后猛烈抨击了波纹（XRP）。

The vulnerability was first flagged by Aikido Security and later acknowledged by Ripple CTO David Schwartz, sparking concern among members of the XRP community.

脆弱性首先是由Aikido Security标记的，后来由Ripple CTO David Schwartz承认，这引起了XRP社区成员的关注。

The issue, which involved malicious code being injected into Ripple’s official Node Package Manager (NPM) library, could have allowed attackers to steal private keys and drain XRP wallets.

该问题涉及将恶意代码注射到Ripple的官方节点软件包经理（NPM）库中，可以允许攻击者窃取私钥和排水XRP钱包。

However, the breach was quickly contained and patched by Ripple.

但是，违规行为很快被波纹包含并修补。

But Peter Todd, who was once featured in an HBO documentary as a possible candidate for Satoshi Nakamoto, took the opportunity to highlight a warning he had already shared a decade ago.

但是彼得·托德（Peter Todd）曾在HBO纪录片中曾担任Nakamoto的候选人，他借此机会强调了他十年前已经分享的警告。

“10 years after I pointed out the risk of a Ripple backdoor due to Ripple not signing its software with PGP … there is a Ripple backdoor due to the NPM breach,” he wrote.

他写道：“在我指出由于连锁反应没有与PGP签署其软件的10年后，由于NPM违规而出现了涟漪后门。”

In a 2013 article, Todd had criticized Ripple for failing to verify software releases with PGP signatures or providing any method of authenticating downloaded software.

在2013年的一篇文章中，托德（Todd）批评了Ripple未能通过PGP签名验证软件发布或提供任何身份验证下载软件的方法。

He warned at the time that such oversights could leave the door open for malicious actors to inject backdoors.

当时他警告说，这样的疏忽可能会让恶意演员打开大门注入后门。

“It’s common practice for software to be signed with PGP to allow users to independently verify that the software they download has not been tampered with,” explained Todd.

Todd解释说：“与PGP签署软件是普遍的做法，以允许用户独立验证他们下载的软件尚未被篡改。”

“However, as far as I can tell, neither Ripple nor any other company that makes software for the XRP cryptocurrency signs its software releases with PGP or provides any other method for users to securely authenticate the software they download.”

“但是，据我所知，为XRP加密货币制作软件的Ripple和任何其他公司都不会使用PGP签署其软件，也没有提供任何其他方法，供用户安全地验证其下载的软件。”

This latest security lapse has sparked discussion among members of the crypto community on open-source supply chain security—a topic that has been a recurring point of concern.

最新的安全失误引发了加密社区成员在开源供应链安全方面的讨论，这是一个经常关注的话题。