On April 21, 2025, cybersecurity company Aikido Security detected a critical vulnerability in the NPM package, a networked application developer library created by Ripple, XRP Ledger (XRPL).
This failure, reported by Cryptootics, allows attackers to access private keys, and surprisingly, already It was warned 10 years ago By Peter Todd, a certified Bitcoin software developer.
In May 2015, Todd analyzed the risks of XRPL networks and noted that the probability of such an attack is “high.”
Early warnings were ignored
Todd, known for his work at Bitcoin Core and projects such as Opentimemps, Attackers can insert backdoorsIt is known in English as Back doorIn a widely used implementation of Ripple software such as servers “Rapid-over Node Software”.
This attack can be done by both internal members of Ripple Labs and external members that undermine sources or binary code hosted on platforms such as GitHub. According to Todd, The economic costs of this attack were ineffective. And its scope was broad, with a higher potential week duration and success.
The rear door is the hidden mechanism of the software; Atacher Access Sensitive Dataas a private key, in the case of cryptocurrency, controls the user fund. The XRPL NPM package with a recent failure detected is a library that developers use to create applications on this network, amplifying the impact of the vulnerability.
Risk factors that Todd shows
In a 2015 analysis, Todd identified two structural weaknesses in Ripple Labs’ software management. First, he pointed out that the entire network code is open source. This promotes transparency, but also encourages malicious third parties to research and misuse it.
Additionally, Ripple Labs relied on Github, a collaborative development platform, to host the code. Github is reliable, but Todd warned that Trusting a third for software distribution introduces riskespecially if the code is not implemented to verify PGP (the English acronym for “very good privacy”), as a standard for encryption to protect the reliability of software and digital data.
Ultimately, another important point that Bitcoiner developers show was the lack of a secure mechanism for users to download the software. Todd was available in binary, but Ripple Lab It did not provide a safe way to verify its integrity.
For example, packages from Ubuntu, a popular operating system, were distributed through an insecure HTTP repository without a signature to ensure reliability. This opened the door to an attack that allowed attackers to modify software while they were discharged from the hospital.
Later, on April 22nd, the XRPL.JS update was released by the XRPL Foundation, the social network X account, which is the organization that handles the development of networks created by Ripple. Fix the above vulnerabilities.
How does Bitcoin Core minimize that type of vulnerability?
Bitcoin Core is an open source project that uses PGP signatures to ensure software version integrity and reliability as a reference customer of Bitcoin.
Each official release (for example, Bitcoin Core V29.0) is signed by the main maintainer with a PGP key and is authorized by the user Make sure the ejected code has not been changed. This directly addresses the issue that Ripple’s Todd shows, where the lack of PGP signatures facilitated the distribution of malicious code.
Additionally, Bitcoin Core has dozens of main collaborators (maintainers and key reviewers) and hundreds of secondary collaborators who review the code on GitHub. This open development model ensures that multiple eyes examine each proposed change. Reduce the probability of vulnerability They are not noticed.
(tagstotranslate) bitcoin (btc)