In a recent social media post, Peter Todd, the prominent Canadian Bitcoin developer who was identified as the likeliest Satoshi Nakamoto candidate in a 2024 HBO documentary, took to social media to slam Ripple after a backdoor was spotted in the JavaScript library used for the XRP Ledger (XRPL).
Todd recalled that he had warned about such a vulnerability a decade ago.
As reported by U.Today, Ripple CTO David Schwartz recently warned about malicious code in the library that was initially spotted by Aikido Security. The backdoor made it possible to send private keys to a suspicious domain, which essentially allows attacks to steal the private keys of those who use the compromised versions of the XRPL software development kit (SDK).
Earlier, Todd published a paper claiming that Ripple’s security could be compromised due to the fact that they did not provide a cryptographic PGP signature verifying their code. This would potentially make it possible for hackers to inject malicious code and distribute a fake version of software. Ironically, the same kind of attack ended up materializing a decade later, with an NPM compromise resulting in the malicious backdoor.
Notably, Schwartz admitted that Schwartz’s warning was true “at that time” in February.
At the same time, Todd has admitted that his own software library is not PGP signed because the Python Package Index (PyPi) stopped supporting such downloads.
“In fairness, at the moment, my python-bitcoinlib library isn’t PGP signed for most users because PyPi made the idiotic decision to phase out PGP signatures. But my hands are tied on that; the entire software industry is incompetent,” he said.
