XRP Ledger Faces Security Threat as Developer Tool Compromised
Highlights:
- Malicious code in xrpl.js put many XRP wallets at risk but was removed with a quick update from the foundation.
- Developers must upgrade to the safe version of xrpl.js to avoid exposure to stolen private keys.
- The attack used a stolen access token and showed how risky open-source tools can be in blockchain projects.
Aikido Intel, a security specialist, recently discovered a security issue in xrpl.js, a token used to interact with the XRP Ledger. On April 22, Aikido Security flagged unusual activity involving several newly published versions of the library. The problem was caused by a developer access token that was stolen and used to publish these versions on the Node Package Manager platform.
Advertisement
🚨We have discovered a backdoor in the official #xrpl NPM package. This back door steals private keys and sends them to attackers. The affected versions 4.2.1 – 4.2.4, if you are using an earlier version, do not upgrade.#crypto #malware #npm pic.twitter.com/wshcTFKjbR
— Aikido Security (@AikidoSecurity) April 22, 2025
The malicious versions included hidden code that attackers could use to collect private keys from users. If used, the code allowed attackers to take control of wallets and move funds. The move posed a serious threat to developers and users who rely on this library to connect with the XRP Ledger.
The XRP Ledger Foundation reacted promptly to the security warning. They released a new patched version of the library, 4.2.5, to remove the harmful code. They also confirmed that the main XRP Ledger codebase and GitHub repository were secure and no one changed them.
For users of the 2.14.x branch we've just published an updated npm package to remove the previously compromised version. If you’re using the 2.14.x branch, please update to 2.14.3 immediately:https://t.co/ZgCiSPf8px
— XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025
This library sees over 140,000 downloads each week and is used in many applications and websites. Because of this, the problem could have affected a wide range of users across the XRP ecosystem. Fortunately, key services like Xaman Wallet and XRPScan were not affected, and several ecosystem projects confirmed the same.
Foundation Advises Developers to Act Quickly
After detecting the threat, the foundation acted fast to remove the affected versions and inform developers. Specifically, the foundation advised them to upgrade to two other versions. They also recommended rotating private keys or seed phrases if the affected versions were used in any project.
Aikido performed further checks and found that the attacker had stolen the data on a specific domain, 0x9c.xyz. The harmful versions of the library activated the backdoor as soon as the victim created a new wallet. This allowed the attacker to receive private keys without alerting the user.
The malicious code was only discovered in early versions in the built JavaScript files. This approach made it difficult for standard reviews to notice the problem. Later versions of the package included the backdoor in the original TypeScript files, making the threat more persistent.
Aikido Security also encouraged developers to check their network logs for any connections to the suspicious domain. They noted that bad actors had refined their methods across the fake versions to avoid early detection.
Identity Of Hacker Still Unknown
Authorities have not revealed the identity of the attacker, and the way the access token was stolen remains unknown. While the core XRP Ledger itself was not affected, the event underscored just how dangerous supply chain attacks can be for blockchain projects.
The XRP Ledger Foundation confirmed that it had removed the compromised versions from its code repository. Moreover, it also shared that key ecosystem partners such as Gen3 Games and First Ledger had not been affected.
Many have confirmed that they are not affected including @XamanWallet, @xrpscan, @First_Ledger, @gen3games and others.
— XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025
eToro Platform
Best Crypto Exchange
- Over 90 top cryptos to trade
- Regulated by top-tier entities
- User-friendly trading app
- 30+ million users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong.
Advertisement
Austin Mwendia
Austin Mwendia is a passionate crypto journalist with three years of experience. He has contributed to various media outlets, covering blockchain technology, market analysis, and financial trends. He is committed to educating readers and expanding the adoption of blockchain and decentralized finance.
View full profile ›ℹ️About Crypto2Community's Editorial Process
Crypto2Community's editorial policy is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict editorial policy and sourcing standards, and each page undergoes diligent review by our team of top crypto industry experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
