XRP Ledger Faces Security Threat as Developer Tool Compromised

Highlights:

• Malicious code in xrpl.js put many XRP wallets at risk but was removed with a quick update from the foundation.
• Developers must upgrade to the safe version of xrpl.js to avoid exposure to stolen private keys.
• The attack used a stolen access token and showed how risky open-source tools can be in blockchain projects.

Aikido Intel, a security specialist, recently discovered a security issue in xrpl.js, a token used to interact with the XRP Ledger. On April 22, Aikido Security flagged unusual activity involving several newly published versions of the library. The problem was caused by a developer access token that was stolen and used to publish these versions on the Node Package Manager platform.

We have discovered a backdoor in the official #xrpl NPM package. This back door steals private keys and sends them to attackers. The affected versions 4.2.1 – 4.2.4, if you are using an earlier version, do not upgrade.#crypto #malware #npm pic.twitter.com/wshcTFKjbR

— Aikido Security (@AikidoSecurity) April 22, 2025

The malicious versions included hidden code that attackers could use to collect private keys from users. If used, the code allowed attackers to take control of wallets and move funds. The move posed a serious threat to developers and users who rely on this library to connect with the XRP Ledger.

The XRP Ledger Foundation reacted promptly to the security warning. They released a new patched version of the library, 4.2.5, to remove the harmful code. They also confirmed that the main XRP Ledger codebase and GitHub repository were secure and no one changed them.

For users of the 2.14.x branch we've just published an updated npm package to remove the previously compromised version. If you’re using the 2.14.x branch, please update to 2.14.3 immediately:https://t.co/ZgCiSPf8px

— XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025

This library sees over 140,000 downloads each week and is used in many applications and websites. Because of this, the problem could have affected a wide range of users across the XRP ecosystem. Fortunately, key services like Xaman Wallet and XRPScan were not affected, and several ecosystem projects confirmed the same.

Foundation Advises Developers to Act Quickly

After detecting the threat, the foundation acted fast to remove the affected versions and inform developers. Specifically, the foundation advised them to upgrade to two other versions. They also recommended rotating private keys or seed phrases if the affected versions were used in any project.

Aikido performed further checks and found that the attacker had stolen the data on a specific domain, 0x9c.xyz. The harmful versions of the library activated the backdoor as soon as the victim created a new wallet. This allowed the attacker to receive private keys without alerting the user.

The malicious code was only discovered in early versions in the built JavaScript files. This approach made it difficult for standard reviews to notice the problem. Later versions of the package included the backdoor in the original TypeScript files, making the threat more persistent.

Aikido Security also encouraged developers to check their network logs for any connections to the suspicious domain. They noted that bad actors had refined their methods across the fake versions to avoid early detection.

Identity Of Hacker Still Unknown

Authorities have not revealed the identity of the attacker, and the way the access token was stolen remains unknown. While the core XRP Ledger itself was not affected, the event underscored just how dangerous supply chain attacks can be for blockchain projects.

The XRP Ledger Foundation confirmed that it had removed the compromised versions from its code repository. Moreover, it also shared that key ecosystem partners such as Gen3 Games and First Ledger had not been affected.

Many have confirmed that they are not affected including @XamanWallet, @xrpscan, @First_Ledger, @gen3games and others.

— XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025