The popular xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack
The popular xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack
April 23, 2025 
The xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack aimed at stealing users’ private keys.
Threat actors compromised the Ripple cryptocurrency npm JavaScript library xrpl.js to harvest users’ private keys.
xrpl.js is the recommended library for integrating a JavaScript/TypeScript app with the XRP, it has more than 140.000 weekly downloads. Hundreds of thousands of applications and websites use this package, the package has been downloaded over 2.9 million times to date.
On April 21, Aikido Intel detected that the official xrpl NPM package was compromised with a backdoor as part of a supply chain attack.
“At 21 Apr, 20:53 GMT+0, our system, Aikido Intel started to alert us to five new package version of the xrpl package. It is the official SDK for the XRP Ledger, with more than 140.000 weekly downloads.” reads the report published by Aikido. “We quickly confirmed the official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets. “
The researchers investigated the supply chain attack and discovered that five xrpl package versions (4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2) contained malicious code. The user 'mukulljangid‘ released all five malware-laced versions of the library starting from 21 Apr, 20:53 GMT+0.
The researchers noticed the presence of a function named checkValidityOfSeed in the code that was used to exfiltrate the stolen information to the domain “0x9c [.] xyz”.
At this time, it is unclear who is behind the attack, however, the experts pointed out that multiple version bumps occurred as attackers refined their methods. Version 4.2.1 removed key configs; 4.2.2 introduced malicious JavaScript. Later versions (4.2.3, 4.2.4) added backdoors in TypeScript, showing the attacker’s evolving tactics to avoid detection and moving from manual code insertion to compiled backdoors.
The problem has been fixed in versions 4.2.5 and 2.14.3.
Users of the xrpl.js library are urged to update to versions 4.2.5 or 2.14.3 to mitigate risks from the recent supply chain attack.
The company provided indicators of compromise to check whether users’ systems may have been affected by the malicious versions of the library.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Ripple)
