The frequently utilized xrpl.js Ripple digital currency library was compromised during a supply chain breach
April 23, 2025
The xrpl.js Ripple digital currency library was manipulated in a supply chain attack with the intention of obtaining users’ secret keys.
Threat actors compromised the Ripple digital currency npm JavaScript library xrpl.js in order to extract users’ private keys.
xrpl.js is the suggested library for integrating a JavaScript/TypeScript app with the XRP. It registers over 140,000 downloads every week. Hundreds of applications and websites utilize this package, which has been downloaded
On April 21, Aikido Intel identified that the official “At 21 Apr, 20:53 GMT+0, our system, Aikido Intel began alerting us about five new package versions of the xrpl package. It is the official SDK for the XRP Ledger, with more than 140,000 weekly downloads.”, states the report released by Aikido. “We immediately confirmed that the official XPRL (Ripple) NPM package was compromised by sophisticated attackers who inserted a backdoor to extract cryptocurrency private keys and gain access to cryptocurrency wallets. “ The researchers delved into the supply chain breach and found that five The researchers detected a function called checkValidityOfSeed in the code, which was employed to transmit the stolen data to the domain “0x9c [.] xyz”. The identity behind the attack remains uncertain at the moment, although experts highlighted that numerous version updates occurred as attackers refined their methods. Version 4.2.1 eliminated key configurations; 4.2.2 introduced malicious JavaScript. Subsequent versions (4.2.3, 4.2.4) added hidden access points in TypeScript, showcasing the attackers’ evolving strategies to elude detection and transitioning from manual code insertion to compiled vulnerabilities. The issue has been resolved in versions 4.2.5 and 2.14.3. Users of the xrpl.js library are strongly advised to upgrade to versions 4.2.5 or 2.14.3 to minimize risks from the recent supply chain breach. The company furnished indicators of compromise to verify if users’ systems might have been impacted by the malicious library versions. Follow me on Twitter: @securityaffairs and Facebook and Mastodon (SecurityAffairs – hacking, Ripple)xrpl NPM package was compromised with a backdoor as part of a supply chain intrusion.xrpl package versions (4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2) harbored malicious code. The user 'mukulljangid‘ released all five versions of the library laced with malware starting from 21 Apr, 20:53 GMT+0.
About Author
