The Ripple Cryptocurrency NPM JavaScript library, named Xrpl.js, is compromised by unknown threat actors as part of a software supply chain attack designed to harvest and remove user private keys.
Malicious activity has been found to affect five different versions of packages: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. This issue is explained in versions 4.2.5 and 2.14.3.
Xrpl.js is a popular JavaScript API for interacting with the XRP Ledger blockchain, also known as the Ripple Protocol, a cryptocurrency platform launched by Ripple Labs in 2012. The package has been downloaded over 2.9 million times so far, attracting over 135,000 weekly downloads.
“The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who could put in a backdoor and steal private cryptocurrency keys and access the cryptocurrency wallet.”
It has been found that malicious code changes have been introduced from April 21, 2025 by a user named “Mukulljangid”. The threat actor introduces a new function named CheckValiditivityofSeed, designed to send stolen information to an external domain (“0x9c(.)xyz”).
It is worth noting that “Mukulljangid” is likely to belong to a Ripple employee. This indicates that the NPM account has been hacked and stopped the supply chain attack.
The attackers are said to have tried different ways of sneaking into the backdoor, trying to avoid detection, as evident by the various versions released in a short period of time. There is no evidence that the associated GitHub repository has become the background.
It’s not clear who is behind the attack, but it is believed that threat actors were able to steal the developer’s NPM access token and tamper with the library.
In light of the incident, users relying on the XRPL.JS library are advised to update their instances to the latest versions (4.2.5 and 2.14.3) to mitigate potential threats.
“This vulnerability lies in Xrpl.js, a JavaScript library that allows you to interact with XRP Ledger.” The XRP Ledger Foundation stated in an X post.
