Malicious code in NPM package xrpl.js (CVE-2025-32965)

(CVE-2025-32965), which sends master keys from cryptocurrency wallets and private keys of cryptocurrencies to an external server. The xrpl package is positioned as the officially recommended library (xrpl.js) for interaction between JavaScript and TypeScript applications running through the browser or Node.js with the decentralized payment network XRP Ledger (Ripple), which supports the cryptocurrency ranked 4th by market capitalization (only behind $BTC , $ETH , and USDT). The xrpl.js library has recorded 165 thousand downloads in the week preceding the incident, is used as a dependency in 143 NPM packages, and is involved in many cryptocurrency applications and websites.

Details of the attack:

- The malicious code was disguised as the function `checkValidityOfSeed`, which instead of checking the key, sent it to the attackers.

- Infected versions were uploaded to NPM on April 21 and were removed on April 22. They were not published on GitHub.

- It is believed that the attack was made possible due to the hacking of one of the developers' accounts through phishing.

Threat scale:

- The library is used in 143 NPM packages and was downloaded 165 thousand times in the week prior to the incident.