Блокчейн XRP Ledger подвергся атаке из-за вредоносной NPM-библиотеки

cryptonews.ruPublished on 2025-01-23Last updated on 2025-04-23

  • Аналитик Aikido Security сообщил об уязвимости экосистемы XRP Ledger.
  • Причиной стал бэкдор в библиотеке XRP на NPM, который скомпрометировал приватные ключи.
  • Команда сети подтвердила наличие проблемы в библиотеке и планирует подготовить подробный отчет о хакерской атаке.

Исследователь вредоносного программного обеспечения из компании Aikido Security Чарли Эриксен обнаружил уязвимость в JavaScript-библиотеке xrpl.js, которая используется для взаимодействия с блокчейном XRP Ledger. Он назвал проблему «потенциально катастрофической атакой на сеть снабжения».

«Официальный пакет xrpl на NPM был скомпрометирован изощренными злоумышленниками, которые внедрили бэкдор для похищения приватных ключей и доступа к криптокошелькам», — сообщил Эриксен.

21 апреля система Aikido Intel обнаружила пять новых подозрительных версий пакета xrpl, официального набора для разработки программного обеспечения (SDK) для взаимодействия с XRP Ledger, который еженедельно загружается более 140 000 раз.

Уязвимость затронула версии 4.2.1-4.2.4 и 2.14.2 библиотеки xrpl.js, размещенной на NPM (Node Package Manager) — сервисе для распространения JavaScript-пакетов. После обнаружения инцидента команда XRP Ledger оперативно выпустила обновление v4.2.5, которое перекрывает бэкдор.

To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.

— XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025

«Эта уязвимость касается только библиотеки xrpl.js. Она не затрагивает сам XRP Ledger или его репозиторий на GitHub. Все проекты, которые используют эту библиотеку, должны немедленно обновиться до версии 4.2.5», — отметили в XRP Ledger Foundation.

Согласно техническому анализу от Aikido, модифицированные версии библиотеки содержали зашифрованный вредоносный JavaScript-код, который автоматически устанавливал бэкдор через новую зависимость secure-random-bytes. Этот модуль имел функционал сбора приватных ключей и отправки их на внешний сервер, связанный с киберпреступниками.

«Если вы подозреваете, что ваша система была поражена, считается, что все приватные ключи, обработанные этим кодом, скомпрометированы. Необходимо срочно перенести все активы на новый кошелек с новым ключом», — подчеркнул Эриксен.

Представители таких проектов, как Xaman Wallet и XRPScan, уже сообщили, что их сервисы не пострадали, поскольку не использовали взломанные версии библиотеки.

XRP Ledger Foundation также пообещала опубликовать отчет после детального анализа того, как произошла компрометация официального пакета на NPM.

Напомним, что хакеры из Lazarus Group использовали вредоносный бэкдор Manuscrypt для разведки и сбора информации о потенциальных целях.

Trending Cryptos

Related Reads

Grayscale: After Halving, BTC is Nearing the Bottom of This Cycle

Grayscale Research suggests Bitcoin's recent decline below $60,000, a >50% drop from its October peak, represents a cyclical correction within a long-term uptrend rather than a trend reversal. Key factors behind the pullback include a shift in market expectations toward Federal Reserve rate hikes under new Chair Kevin Warsh, uncertainty around the CLARITY Act's Senate passage, pressure on leveraged entities like Strategy, and concerns over quantum computing risks. The path out of the current bear market hinges on upcoming catalysts. An optimistic scenario, where the CLARITY Act passes, leverage is contained, and the Fed refrains from hiking, could mean Bitcoin is nearing its cycle bottom. A pessimistic scenario, featuring legislative failure, further deleveraging, and Fed rate hikes, could lead to additional moderate downside. Grayscale does not expect a historically deep ~80% drawdown due to a more measured prior bull run and stickier institutional demand. Despite short-term headwinds, Grayscale remains highly optimistic about crypto's long-term structural prospects, driven by institutional adoption of public blockchains, unsustainable government debt, declining trust in intermediaries, and AI's potential demand for alternative systems. The report concludes that while the exact cycle low depends on near-term catalysts, current valuations present an attractive entry point for long-term investors betting on the decade-ahead growth of digital assets.

marsbit8m ago

Grayscale: After Halving, BTC is Nearing the Bottom of This Cycle

marsbit8m ago

Web3 Bear Market Survival Guide: Ten Great Books to Help You Navigate the Cycles

"Web3 Bear Market Survival Guide: Ten Books to Help You Navigate the Cycle" This article presents a curated book list aimed at helping Web3 enthusiasts and professionals endure and grow during crypto market downturns. It argues that bear markets are not just periods of waiting but crucial times for deepening one's foundational understanding beyond technical whitepapers and price charts. The ten recommended books offer perspectives on technology, economics, philosophy, and strategy to build resilience and long-term vision. The list includes: 1. **"The Inevitable" by Kevin Kelly:** For using a long-term technological lens to combat uncertainty about the future, including the role of crypto and AI. 2. **"Human Action" by Ludwig von Mises:** To upgrade one's economic and philosophical framework, understanding action, speculation, and calculation in a bear market context. 3. **"The Nature of Technology" by W. Brian Arthur:** For viewing blockchain and crypto as combinatorial evolutions of existing technologies, understanding their modular and economic development. 4. **"The Distant Savior" (Chinese novel):** Explores the cultural attributes of self-reliance ("strong culture") versus dependency ("weak culture"), crucial for surviving industry cycles. 5. **"The Sovereign Individual" by James Dale Davidson & Lord William Rees-Mogg:** A prophetic 1997 work on how technology empowers individuals and challenges nation-states, foreshadowing Bitcoin's emergence. 6. **"Japanization: What the World Can Learn from Japan's Lost Decades" (Adapted title):** Uses Japan's economic history as a case study to identify structural opportunities that persist even during broader recessions. 7. **"Denationalisation of Money" by F.A. Hayek:** The ideological blueprint for Bitcoin, arguing for competitive currency issuance beyond state monopoly. 8. **"Duan Yongping Investment Q&A" (Chinese compilation):** Emphasizes the simple discipline of "doing the right things and doing things right," focusing on fundamentals and maintaining a "stop doing list." 9. **"The Network State: How To Start a New Country" by Balaji Srinivasan:** A visionary text from a crypto insider outlining bold predictions and concrete ideas for a blockchain-based future across media, governance, and identity. 10. **"Selected Works of Mao Zedong" (Vol. 1):** Analyzed as a strategic playbook for a weak force challenging a powerful establishment, offering lessons on strategy, alliance-building, and perseverance for the crypto movement. The conclusion states that bear markets filter out those with weak conviction, not weak skills. Survival depends on cognitive depth and mental fortitude, which these books aim to provide.

Foresight News30m ago

Web3 Bear Market Survival Guide: Ten Great Books to Help You Navigate the Cycles

Foresight News30m ago

Trump's 25-Year Financial Report: Family Earns Over $1 Billion Annually from Crypto, While Retail Investors Lose Money on $TRUMP

Former President Donald Trump's family earned approximately $1.2 billion from cryptocurrency ventures in 2025, according to a financial disclosure report. This revenue stream, outlined in a 927-page filing, now surpasses income from most of his long-established real estate holdings. The crypto earnings originated from two main sources: over $500 million from the sale of products like "governance tokens" by World Liberty Financial, a DeFi project co-owned by the Trump family, and roughly $635 million in royalties from the Trump-themed meme coin $TRUMP, issued by CIC Digital LLC. While Trump's entities profited, retail investors faced significant losses. The $TRUMP token, which peaked above $74 shortly after its January 2025 launch, has plummeted to around $1.68. World Liberty Financial's token has also fallen roughly 80% since its debut. Reports indicate that the majority of meme coin buyers have lost money, with Trump-linked entities still holding about 80% of $TRUMP's supply under vesting plans. The disclosure highlights a stark contrast: Trump's crypto and real estate businesses flourished—with new international property deals bringing in tens of millions—even as his administration shifted to crypto-friendly policies, relaxing the stringent regulatory stance of the previous Biden administration. The White House maintains that Trump acts only in the public interest, with his businesses placed in a trust managed by his sons, denying any conflict of interest. However, the report notes the difficulty of assessing such conflicts, particularly regarding foreign business dealings with countries that later received favorable U.S. policy decisions.

marsbit51m ago

Trump's 25-Year Financial Report: Family Earns Over $1 Billion Annually from Crypto, While Retail Investors Lose Money on $TRUMP

marsbit51m ago

From 'Address Clustering' to 'Evidence Standards': Why is Chainalysis Redefining Blockchain Tracing?

**Summary:** In June 2026, Chainalysis introduced the **Blockchain Tracing Ontology (BTO)**, a proposed data framework aiming to establish standardized, transparent, and verifiable models for blockchain analysis. This initiative addresses a core industry issue: despite public blockchain data, different firms often produce inconsistent results (e.g., differing entity labels for the same address) due to non-uniform methodologies, particularly in **address clustering**. This lack of standardization poses challenges for judicial investigations, AML, and enforcement. The BTO is not a new clustering algorithm but a **common "language" or conceptual framework**. It moves beyond the simplistic "cluster" model by introducing a hierarchical structure: **Entity → Wallet → Wallet Segment → Address**, which better reflects complex organizational wallet management. A key shift is from presenting mere results to ensuring **process trust and explainability**. The framework emphasizes documenting the **Evidence** and **Confidence** behind each analytical claim—specifying the on-chain/off-chain data, rules applied, and certainty levels—enabling third-party verification. This focus is partly informed by legal precedents like the **Bitcoin Fog** case, where Chainalysis's methods underwent rigorous judicial scrutiny (Daubert hearing), highlighting the need for reproducible, scientifically sound analysis. The proposal clarifies that on-chain analysis identifies address relationships and flow patterns, not real-world identities, which still require off-chain evidence (e.g., KYC data). Ultimately, Chainalysis envisions steering the industry from an "experience-driven" to a **"standards-driven"** future, where competition centers on **data quality, analytical transparency, and judicial admissibility** rather than just label coverage. Widespread adoption could facilitate cross-agency collaboration, reduce disputes, and provide a more reliable foundation for global compliance and enforcement.

marsbit1h ago

From 'Address Clustering' to 'Evidence Standards': Why is Chainalysis Redefining Blockchain Tracing?

marsbit1h ago

Trading

Spot

Hot Articles

What is XRP 2.0

XRP 2.0: A New Frontier in the Cryptocurrency Landscape Introduction to XRP 2.0 In the ever-evolving realm of cryptocurrency, new projects continuously emerge, vying for attention and adoption. One such promising initiative is XRP 2.0, a novel cryptocurrency project designed to leverage advanced blockchain technology and robust encryption methodologies. While the name draws parallels with Ripple’s XRP, it’s crucial to note that XRP 2.0 operates independently, focusing on enhancing transaction security, privacy, and scalability. As the digital financial landscape increasingly embraces decentralized solutions, XRP 2.0 aims to contribute meaningfully to web3 and the overall expansion of crypto projects. What is XRP 2.0? At its core, XRP 2.0 is a cryptocurrency project that aims to create a secure and decentralized digital currency ecosystem. Its foundational technology integrates sophisticated blockchain principles with cutting-edge encryption techniques. The overarching goal of XRP 2.0 is to establish itself as a reliable and efficient platform enabling swift transaction execution while prioritizing enhanced privacy protections for its users. The project is promoted as a solution to many limitations faced by existing cryptocurrencies, proposing a system that can handle a higher volume of transactions with improved speed and privacy. This versatility positions XRP 2.0 as a significant contender in a marketplace riddled with various digital currencies. Who is the Creator of XRP 2.0? The identity of the creator behind XRP 2.0 has been flagged as ‘Wilbur.’ However, comprehensive details regarding Wilbur or their associated entity remain elusive. The anonymity of many cryptocurrency creators is not an uncommon phenomenon in the industry, often designed to maintain a degree of privacy and security. Who are the Investors of XRP 2.0? As of now, specific information related to the investment foundations or organizations supporting XRP 2.0 is not publicly available. In the cryptocurrency sector, the backing by reputed investors can significantly influence a project's credibility and success, yet the transparency regarding the financial supporters of XRP 2.0 has not been established. How Does XRP 2.0 Work? XRP 2.0 stands out by employing a combination of blockchain technology and advanced encryption algorithms that ensures secure and decentralized transactions. Its innovative structure includes unique features designed to foster user engagement and broaden functionalities beyond conventional cryptocurrency transactions. Among these features, XRP 2.0 incorporates AI-powered capabilities, such as text-to-image and text-to-speech functionalities. These additions are designed to enhance the interactive experience for users, promoting broader applicability across various sectors. By bridging technological advancements with user-centered design, XRP 2.0 aims to capture the attention of a diverse range of individuals and enterprises looking to integrate cryptocurrency solutions into their operational frameworks. Timeline of XRP 2.0 Understanding XRP 2.0 requires examining the milestones that have defined its journey thus far: July 23, 2023: XRP 2.0 is introduced as a novel cryptocurrency project, aiming to revolutionize secure and decentralized transaction capabilities in the blockchain domain. September 8, 2023: The launching of another project, XRP20, occurs, marking the emergence of an ERC-20 token on the Ethereum blockchain that remains unrelated to XRP 2.0. November 13, 2023: The XRP Ledger undergoes a significant update with the release of rippled server software version 2.0.0. It is essential to note that this development is disconnected from the XRP 2.0 cryptocurrency project. Key Points About XRP 2.0 To distill the essence of XRP 2.0, several critical factors emerge: Unique Features: The inclusion of features like AI-powered text-to-image and text-to-speech further diversifies the potential applications of XRP 2.0. Blockchain Technology: The framework utilizes advanced blockchain mechanisms and encryption protocols, ensuring a secure and decentralized environment for transactions. Scalability and Privacy: XRP 2.0 prioritizes enhanced privacy protections in transaction processes and the scalability necessary to accommodate a growing user base. No Affiliation with Ripple: Importantly, despite its name, XRP 2.0 does not have any allegiance or collaboration with Ripple’s XRP, distinguishing its operational framework and objectives within the cryptocurrency ecosystem. Conclusion XRP 2.0 represents an ambitious venture into the cryptocurrency sphere, aiming to offer a combination of security, privacy, and efficiency in digital transactions. By integrating sophisticated technologies and user-friendly features, the project sets out to broaden the horizons of what cryptocurrency can achieve in today's digital economy. While the anonymity of its creator and lack of disclosed investors might raise questions for some, XRP 2.0's focus on advanced functionalities and decentralisation enhances its appeal amidst an increasingly crowded crypto market. As the cryptocurrency landscape continues to evolve, XRP 2.0 may yet emerge as a pivotal player in the expansion of secure and scalable blockchain solutions.

1.0k Total ViewsPublished 2024.04.01Updated 2024.12.03

What is XRP 2.0

Discussions

Welcome to the HTX Community. Here, you can stay informed about the latest platform developments and gain access to professional market insights. Users' opinions on the price of XRP (XRP) are presented below.

活动图片