Malicious code injected Ripple's xrpl.js npm package, compromises cryptocurrency private keys
Take action: If you are using xrpl.js, update it to versions 4.2.5 or 2.14.3 IMMEDIATELY. If you've used compromised versions (4.2.1-4.2.4 or 2.14.2) since April 21st, assume your keys may be compromised and transfer funds to new, secure wallets. And implement package verification signatures for external packages to reduce malicious code injection - it's not simple but it does help.
Learn More
A software supply chain attack has been discovered affecting the popular Ripple cryptocurrency JavaScript library xrpl.js. Attackers have compromised multiple versions of the package to harvest and exfiltrate users' private keys, potentially allowing attackers to gain unauthorized access to cryptocurrency wallets and assets.
The xrpl.js library is a JavaScript API used for interacting with the XRP Ledger blockchain (also known as the Ripple Protocol), a cryptocurrency platform launched by Ripple Labs in 2012. It has over 2.9 million total downloads to date and approximately 135,000 weekly downloads.
The malicious code was introduced by a user named "mukulljangid" beginning on April 21, 2025. This account is believed to belong to a legitimate Ripple employee whose npm credentials were compromised to execute the attack.
The attackers implemented their data theft mechanism through a new function called "checkValidityOfSeed" which was designed to transmit stolen private key information to an external domain "0x9c[.]xyz". Analysis of the different compromised versions suggests that the attackers made multiple attempts to evade detection by modifying their approach across different package releases.
The following versions of the xrpl.js package have been confirmed as compromised:
- 4.2.1
- 4.2.2
- 4.2.3
- 4.2.4
- 2.14.2
The vulnerability has been addressed in the following versions:
- 4.2.5
- 2.14.3
The XRP Ledger Foundation has issued an advisory stating: "This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does not affect the XRP Ledger codebase or GitHub repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately."
All users and projects incorporating the xrpl.js library are strongly advised to update to the latest secure versions (4.2.5 or 2.14.3) as soon as possible to mitigate potential threats.
It appears that the GitHub repository for xrpl.js is unaffected by this breach, and the compromise is limited to the npm package distributions. Aikido Security believes the attackers likely obtained the developer's npm access token to facilitate the attack.
