Ripple Library Hacked: XRP Users at Risk in Software Supply Chain Attack

Getting your Trinity Audio player ready...

The XRP community was recently put on high alert following a significant security breach involving a key JavaScript library for the XRP Ledger. The Ripple-maintained npm library, known as xrpl.js, fell victim to a software supply chain attack, leading to the potential exposure of users’ private keys.  

Cybersecurity firm Aikido Security initially flagged the vulnerability, which was subsequently confirmed by Ripple’s Chief Technology Officer, David Schwartz. The compromise affected specific versions of the Node Package Manager (NPM) library, namely 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Fortunately, major XRP services such as Xaman Wallet and XRPScan reported that their systems remained unaffected by the malicious code.  

🚨We have discovered a backdoor in the official #xrpl NPM package. This back door steals private keys and sends them to attackers. The affected versions 4.2.1 – 4.2.4, if you are using an earlier version, do not upgrade.#crypto #malware #npm pic.twitter.com/wshcTFKjbR

— Aikido Security (@AikidoSecurity) April 22, 2025

Ripple Under Scrutiny Over Security Protocols

The incident has ignited a debate surrounding Ripple’s security practices. Bitcoin developer Peter Todd pointedly recalled his decade-old warnings about potential vulnerabilities in Ripple’s software due to the absence of robust security measures like PGP signing. Todd argued that the npm compromise effectively created a “Ripple backdoor,” emphasizing that the lack of secure code verification could have prevented the attack.  

Interestingly, Todd also acknowledged that his own Python library lacks PGP signing for most users due to PyPi’s phasing out of the security feature. This led him to criticize the broader software industry as “incompetent” regarding security protocols, admitting his lack of control over the situation.  

10 years after I pointed out the risk of a Ripple backdoor due to Ripple not PGP signing their software or providing any other way to get it securely… there's a a Ripple backdoor due to an npm compromise. 😂https://t.co/5Z3x68KeB5 pic.twitter.com/IkR3sG3pfd

— Peter Todd (@peterktodd) April 23, 2025

Malicious Code Injected Through Compromised Account

Investigations revealed that a user identified as “mukulljangid” introduced the malicious code into the xrpl.js package starting on April 21, 2025. The injected code included a new function designed to steal private keys and transmit them to an external domain. The attacker reportedly gained access through a compromised npm account belonging to a Ripple employee.  

The attacker’s strategy involved rapidly deploying the malicious code across multiple library versions in a short timeframe, likely an attempt to evade detection. However, the XRP Ledger Foundation has clarified that there is no evidence of a backdoor within the GitHub repository itself.

To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.

— XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025

The Foundation has since removed the compromised versions of xrpl.js and is advising developers to upgrade to the secure versions 4.2.5 or 2.14.3. A comprehensive report on the incident is expected soon. This event underscores the growing concerns about software security within the cryptocurrency space, where significant financial assets and user trust are at stake.

Disclaimer: The information in this article is for general purposes only and does not constitute financial advice. The author’s views are personal and may not reflect the views of Chain Affairs. Before making any investment decisions, you should always conduct your own research. Chain Affairs is not responsible for any financial losses.

Also Read: Ripple CEO: XRP Is the Bridge Fueling Global Bank Payments, Not Just Crypto Hype