Hacker Targets XRP Owners via JavaScript Library

A malicious actor compromised the official SDK stack for the XRP Ledger by installing a backdoor to steal cryptocurrency in a JavaScript library. The vulnerability was discovered by experts at Aikido Security.

We just published our technical breakdown https://t.co/aAvSN2a68S

— Aikido Security (@AikidoSecurity) April 22, 2025

On April 21, security researcher Charlie Eriksen noticed that a user with the nickname mukulljangid released five new versions of the xrpl.js library via the NPM package manager. The expert’s attention was drawn to the fact that the releases did not appear in the official GitHub repository.

Further analysis revealed the presence of malicious code in the packages, which allowed for the theft of private keys and access to wallets.

“The attacker was actively working on the attack, trying different ways to insert the backdoor while remaining as hidden as possible,” Eriksen noted.

The XRP Ledger Foundation clarified that the vulnerability does not affect the network’s codebase or the GitHub repository. Developers strongly recommended that projects update the library to the patched version xrpl.js 4.2.5.

To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.

— XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025

They have blocked support for the infected releases 4.2.1-4.2.4 and v2.14.2 in NPM and promised to publish a report on the incident later.

According to the XRP Ledger team, several major blockchain projects such as Xaman Wallet, XRPScan, and First Ledger confirmed they were not affected by the attack.

The price of the XRP token has risen by more than 8% in the past 24 hours, reaching $2.25, according to CoinGecko.

Back in February, the XRP Ledger network experienced a 64-minute outage. The blockchain resumed operations after a reboot.