XRP Ledger Foundation Flags New Critical Flaw in JavaScript Library
The XRP Ledger Foundation (XRPLF) has urged developers to upgrade immediately after disclosing a “serious vulnerability” in recent releases of xrpl.js, the JavaScript software-development kit relied on by most applications that interact with the XRP blockchain. Malicious packages uploaded to the npm registry between 21st and 22nd of April allow attackers to exfiltrate wallet seeds and private keys, potentially putting user funds at risk.
Earlier today, a security researcher from @AikidoSecurity identified a serious vulnerability in the xrpl npm package (v4.2.1-4.2.4 and v2.14.2).
We are aware of the issue and are actively working on a fix.
A detailed post-mortem will follow.
— XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025
Compromised versions published without matching GitHub release
Investigators at security firm Aikido noticed five suspicious package versions 4.2.1 to 4.2.4 and 2.14.2, appearing on npm late on 21 April. None corresponded to an official GitHub tag, an initial sign of foul play. XRPLF has confirmed the uploads were made through the account mukulljangid, which is thought to belong to a Ripple employee whose credentials were stolen. Download statistics suggest 452 installations of the tainted packages, yet the underlying library normally sees more than 140,000 downloads each week, amplifying concern over indirect exposure.
Code review shows the attacker added a function called checkValidityOfSeed. Whenever wallet-related methods ran, the routine quietly forwarded secrets to the domain 0x9c[.]xyz via a disguised HTTP POST request. “It is a textbook supply-chain attack that targets the weakest link—the developer workstation,” said Charlie Eriksen, Malware Researcher at Aikido, who first raised the alarm.
Although the domain is now offline, anyone who built or deployed software using the rogue packages could have leaked credentials before the breach was detected. Security teams warn that wallets may continue to be drained if exposed keys are not rotated quickly.
Foundation issues urgent mitigation guidance
XRPLF stresses that the vulnerability is confined to the JavaScript SDK and does not affect the XRP Ledger core codebase or its GitHub repository. Clean releases 4.2.5 and 2.14.3 were pushed within hours of confirmation, and the malicious packages have been removed from npm. The foundation has published step-by-step instructions explaining how to upgrade dependencies, rotate keys, and, where appropriate, disable compromised master keys using built-in ledger features.
Ripple’s incident-response team is working with npm and law enforcement agencies to trace the origin of the breach. Early indicators suggest the intruder obtained an access token for the employee’s npm account rather than modifying source code in the public repository. Affected projects such as Xaman Wallet, XRPScan, and several gaming platforms report no direct loss so far, but audits are ongoing.
Growing pressure on open-source supply chains
The incident echoes earlier compromises of Ethereum and Solana developer libraries, underlining how attackers increasingly target package managers rather than blockchain protocols themselves. Analysts note that constant version-monitoring, two-factor authentication on publishing accounts, and automated code-signing are becoming baseline requirements for open-source ecosystems that handle digital assets. “Developers are the new perimeter,” Eriksen warned, adding that organisations must treat third-party code with the same scrutiny as their own.
Conclusion
The speed with which the foundation neutralised the backdoor and issued patched releases has limited the immediate fallout, yet the episode reinforces vulnerabilities in modern software supply chains. Developers who depend on xrpl.js should upgrade and rotate credentials without delay, while the broader community faces renewed pressure to harden publishing workflows and monitor dependencies continuously.
