The Ripple cryptocurrency npm JavaScript library named xrpl.js has been compromised by unknown threat actors as part of a software supply chain attack designed to harvest and exfiltrate users’ private keys.
The malicious activity has been found to affect five different versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. The issue has been addressed in versions 4.2.5 and 2.14.3.
xrpl.js is a popular JavaScript API for interacting with the XRP Ledger blockchain, also called the Ripple Protocol, a cryptocurrency platform launched by Ripple Labs in 2012. The package has been downloaded over 2.9 million times to date, attracting more than 135,000 weekly downloads.
“The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets,” Aikido Security’s Charlie Eriksen said.
The malicious code changes have been found to be introduced by a user named “mukulljangid” starting April 21, 2025, with the threat actors introducing a new function named checkValidityOfSeed that’s engineered to transmit the stolen information to an external domain (“0x9c[.]xyz”).
It’s worth noting that “mukulljangid” likely belongs to a Ripple employee, indicating that their npm account was hacked to pull off the supply chain attack.
The attacker is said to have tried different ways to sneak in the backdoor while trying to evade detection, as evidenced by the different versions released in a short span of time. There is no evidence that the associated GitHub repository has been backdoored.
It’s not clear who is behind the attack, but it’s believed that the threat actors managed to steal the developer’s npm access token to tamper with the library.
In light of the incident, users relying on the xrpl.js library are advised to update their instances to the latest version (4.2.5 and 2.14.3) to mitigate potential threats.
“This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger,” the XRP Ledger Foundation said in a post on X. “It does not affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.”
