Private Keys at Risk: XRP Ledger Battles Severe Supply Chain Exploit
The XRP Ledger Foundation has confirmed the discovery of a critical vulnerability in its official JavaScript library, xrpl.js, used by developers to interact with the XRP Ledger blockchain.
According to blockchain security firm Aikido, which detailed the breach in a 22 April blog post, the open-source library was infiltrated by sophisticated attackers who inserted a backdoor designed to steal private keys and gain unauthorised access to cryptocurrency wallets.
šØWe have discovered a backdoor in the official #xrpl NPM package. This back door steals private keys and sends them to attackers. The affected versions 4.2.1 - 4.2.4, if you are using an earlier version, do not upgrade.#crypto #malware #npm pic.twitter.com/wshcTFKjbR
ā Aikido Security (@AikidoSecurity) April 22, 2025
The vulnerability specifically affected versions 4.2.1 through 4.2.4 of the xrpl.js library and was first detected by Aikido on 21 April at 20:53 GMT+0, after its monitoring system flagged five suspicious packages published to the NPM (Node Package Manager) registry.
Upon further inspection, Aikido confirmed that malicious code had been embedded, posing a serious risk to any DeFi wallet integrated with the compromised package.
Akido noted:
āā[T]his package is used by hundreds of thousands of applications and websites making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem.ā
With over 140,000 weekly downloads and widespread adoption across thousands of applications and websites, the incident could have triggered a significant supply chain attackāa threat vector that targets developers and project infrastructure rather than end users directly.
The attackers reportedly deployed multiple versions of the tainted package to obscure the exploit and evade detection.
Aikidoās internal Intel tool, designed to monitor changes in public package repositories like NPM, was instrumental in catching the malicious activity.
Our Developer Advocate @advocatemack breaks down the #XRP supply chain compromise. #xrpl #crypto #infosec https://t.co/E8OYMxm2f9
ā Aikido Security (@AikidoSecurity) April 22, 2025
While the core XRP Ledger network itself remains unaffected, the breach highlights growing concerns over the security of open-source blockchain tools.
Ripple has since deprecated the compromised packages, and the XRP Ledger Foundation removed them from NPM shortly after the issue was made public.
It remains unclear how many users may have installed or integrated the backdoored versions before they were flagged.
The episode serves as a stark reminder of the risks involved in software supply chainsāwhere trust in a widely used development package can be exploited to infiltrate countless systems in a single, coordinated strike.
XRPL Foundation Confirms Vulnerability, Issues Immediate Fix
The recent breach involving Rippleās official JavaScript library poses a serious threat to the XRP ecosystemāserious enough for Ripple CTO David Schwartz to issue a public warning. https://
Critical warning for anyone using XRPL.js from NPM. https://t.co/3zV45jNT1t
ā David "JoelKatz" Schwartz (@JoelKatz) April 22, 2025
Mayukha Vadari, a senior software engineer at Ripple, also elaborated on the technical aspects of the vulnerability.
The XRP Ledger itself is unaffected by this. The malware packages only affect services that use xrpl.js and upgraded to the malicious versions that were published less than 24 hours ago. Github remains safe, only npm was compromised.
Please avoid using any services that haveā¦ https://t.co/ySWcl50Pmf
ā Mayukha Vadari (@msvadari) April 22, 2025
While the XRP Ledger itself remains unaffected, the compromised library was distributed through official Ripple channels, exposing users and developers to significant risk.
The potential fallout is considerable: DeFi wallets operating on XRPL collectively hold around $80 million in user funds.
Even a small fraction of that, if compromised, would represent a substantial loss.
In response, the XRP Ledger Foundation, the nonprofit stewarding the XRPL, confirmed the breach and swiftly deployed a fix.
Earlier today, a security researcher from @AikidoSecurity identified a serious vulnerability in the xrpl npm package (v4.2.1-4.2.4 and v2.14.2).
We are aware of the issue and are actively working on a fix.
A detailed post-mortem will follow.
ā XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025
On 22 April, the Foundation released version 4.2.5 of the xrpl.js library to replace the compromised versions.
š v4.2.5 of xrpl.js has been published to replace the previous compromised version. npm: https://t.co/Rd6vWdvLys
Please update immediately.
ā XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025
All affected releases have since been deprecated on NPM, blocking further downloads.
Developers are urged to upgrade to v4.2.5 or fall back to v2.14.3, which was not impacted.
For users of the 2.14.x branch we've just published an updated npm package to remove the previously compromised version. If youāre using the 2.14.x branch, please update to 2.14.3 immediately:https://t.co/ZgCiSPf8px
ā XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025
The foundation said:
āThis vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.ā
To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.
ā XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025
Crucially, the Foundation noted that the XRPLās core codebase and GitHub repository were not compromised.
A full postmortem report is forthcoming.
Weāve deprecated the compromised xrpl.js versions (4.2.1-4.2.4 and v2.14.2) on npm. A detailed post-mortem will be shared soon. šEnsure youāre using v4.2.5 or v2.14.3.
ā XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025
Several major ecosystem participants, including XRPScan, First Ledger, and Gen3 Games, confirmed they were unaffected.
XRPScan clarified it uses an older library version that doesn't handle private keys, and Xaman Wallet emphasized it relies on its own infrastructure for key management.
xrpscan is safe from this xrpl.js supply-chain vulnerability. We do not process private keys and use an older version of xrpl.js. For projects using xrpl.js, we recommend double checking the library versions asap, especially if any update was made recently. https://t.co/0sDmnqkBPb
ā XRPScan (@xrpscan) April 22, 2025
Still, the incident has prompted broader conversations around secure development practices.
Mark Ibanez, CTO of Gen3 Games, credited his teamās avoidance of the compromised versions to āa bit of luckāābut also to good practices.
By committing their pnpm-lock.yaml file to version control, Gen3 Games ensured consistent dependency management, avoiding unexpected updates.
Ibanez highlighted best practices such as avoiding caret versioning in package.json, using Performant NPM (PNPM) when possible, and always committing lockfiles to maintain predictable builds.
To be fair and to be fully transparent, there was a bit of luck involved in us avoiding the compromised xrpl.js versions.
Our package.json specified "xrpl": "^4.1.0", which means that, under normal circumstances, any compatible minor or patch versionāincluding potentiallyā¦
ā Mark Ibanez (@markibanez) April 22, 2025
Although no major losses have been reported, the incident underscores a growing attack surface: the open-source tools that power blockchain infrastructure.
As attackers shift focus to software supply chains, safeguarding development environments becomes more critical than ever.
