XRP Ledger面临涉及Xrpl.js JavaScript库的重大安全漏洞

最近，XRP面临着涉及XRP Ledger的JavaScript库之一的重大安全漏洞。 ripple npm javaScript库名为xrpl.js被妥协

Recently, a major cryptocurrency project was hit by a nasty case of code corruption, affecting a key JavaScript library used by many to connect with the blockchain.

最近，一个重大的加密货币项目受到了一个令人讨厌的代码腐败案件的打击，影响了许多人用于与区块链连接的关键JavaScript库。

This is what happened:

这就是发生的事情：

One of the npm JavaScript libraries used by Ripple was compromised in a software supply chain attack. The issue was flagged by Aikido Security and later confirmed by Ripple CTO David Schwartz.

Ripple使用的NPM JavaScript库之一在软件供应链攻击中遭到妥协。该问题由Aikido Security标记，后来由Ripple CTO David Schwartz确认。

The issue affects specific versions of the Node Package Manager (NPM) library, but major XRP services like Xaman Wallet and XRPScan were not impacted.

该问题影响了节点软件包管理器（NPM）库的特定版本，但是XAMAN WALLET和XRPSCAN等主要XRP服务没有影响。

It was discovered that versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 of the Ripple npm JavaScript library, named xrpl.js, were compromised in a software supply chain attack.

已经发现，在软件供应链攻击中妥协了版本4.2.1、4.2.2、4.2.3、4.2.4和2.14.2，名为Xrpl.js的Ripple NPM JavaScript库，名为Xrpl.js。

The vulnerability was patched in newer versions 4.2.5 and 2.14.3.

该漏洞是在较新版本的4.2.5和2.14.3中修补的。

The incident began when a user named "mukulljangid" started injecting malicious code into the xrpl.js package from April 21, 2025.

该事件始于2025年4月21日从Xrpl.js软件包中注入“ MukullJangid”的用户。

Later, the attacker introduced a new function to steal private keys and send them to an external domain. It is assumed that the attacker gained access through a compromised Ripple employee’s npm account.

后来，攻击者引入了一个新功能，以窃取私钥并将其发送到外部域。假定攻击者通过受损的波纹员工的NPM帐户获得了访问权限。

Moreover, the attacker quickly deployed multiple versions to avoid detection, but there is no sign of a backdoor in the GitHub repository.

此外，攻击者迅速部署了多个版本以避免检测，但是GitHub存储库中没有后门的迹象。

The XRP Ledger foundation also issued a statement, confirming that the compromised versions of xrpl.js have been removed. They advised developers to use versions 4.2.5 or 2.14.3. A full report will follow.

XRP Ledger Foundation还发表了一份声明，确认已删除了Xrpl.js的折衷版本。他们建议开发人员使用版本4.2.5或2.14.3。完整的报告将随后。

This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.

此漏洞在Xrpl.js中，这是一个用于与XRP Ledger交互的JavaScript库。它不会影响XRP Ledger代码库或GitHub存储库本身。使用Xrpl.js的项目应立即升级到v4.2.5。

We are aware that specific versions of the Node Package Manager (NPM) library are affected, but major XRP services like Xaman Wallet and XRPScan are not impacted.

我们知道，节点软件包管理器（NPM）库的特定版本受到影响，但是XAMAN WALLET和XRPSCAN等主要XRP服务没有影响。

This incident has once again raised concerns over software security, especially in the cryptocurrency sector where customer support and large sums of money are at stake.

该事件再次引起了人们对软件安全性的担忧，尤其是在加密货币领域，客户支持和大量资金受到威胁。