A sophisticated supply chain attack has targeted the popular xrpl.js library, a JaScript API used for interacting with the XRP Ledger blockchain. Unknown threat actors compromised the npm package to steal cryptocurrency private keys from users.
The malicious code affected five versions of the package (4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2), with security patches now ailable in versions 4.2.5 and 2.14.3. The xrpl.js library, which has been downloaded over 2.9 million times and erages 135,000 weekly downloads, is a critical component for many developers working with the Ripple Protocol.
“The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets,” explained Charlie Eriksen from Aikido Security.
The attack began on April 21, 2025, when a user named “mukulljangid” (likely a compromised account belonging to a Ripple employee) introduced a malicious function called `checkValidityOfSeed`. This function was designed to transmit stolen private keys to an external domain (“0x9c[.]xyz”).
Security researchers noted that the attackers released multiple versions in quick succession, experimenting with different techniques to evade detection. While the npm package was compromised, there is no evidence that the associated GitHub repository was affected.
The XRP Ledger Foundation clarified: “This vulnerability is in xrpl.js, a JaScript library for interacting with the XRP Ledger. It does not affect the XRP Ledger codebase or GitHub repository itself.”
All projects using the xrpl.js library are strongly advised to upgrade immediately to the patched versions (4.2.5 or 2.14.3) to protect against potential cryptocurrency theft.
Keywords: ripple cryptocurrency attack, xrpl.js vulnerability, supply chain attack, cryptocurrency private keys theft, npm package security, XRP Ledger security