Ripple's xrpl.js Library Hack Exposes User Keys
Ripple's xrpl.js Library Compromised in Supply Chain Attack
A critical security vulnerability has been discovered in xrpl.js, the official JavaScript library for interacting with the XRP Ledger (XRPL) blockchain. The attack, identified as a sophisticated software supply chain compromise, allowed threat actors to steal users' private keys and gain access to their cryptocurrency wallets. The malicious code was introduced into versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of the npm package between 4:46 PM and 5:49 PM ET on April 21, 2025. These versions have since been removed.
The malicious code, a function named `checkValidityOfSeed`, was added to the `/src/index.ts` file. This function transmits stolen information, including private keys and seed phrases, to a malicious server (https://0x9c[.]xyz/xcm). The attackers attempted to mask the malicious activity by using an "ad-referral" user agent. According to Aikido Security, the compromised versions were uploaded at different times and received a total of 452 downloads. While this number is relatively small, the impact could be significant given the widespread use of xrpl.js for managing a large number of XRP wallets.
The attack appears to have involved compromising the npm account of a Ripple employee. The malicious commits were not present in the public GitHub repository, suggesting the attack occurred during the npm publishing process. The XRP Ledger Foundation and Ripple have since released updated versions (4.2.5 and 2.14.3) that resolve the vulnerability. They have also confirmed that the XRP Ledger codebase and GitHub repository itself remain unaffected. Several projects utilizing xrpl.js, including XRPScan, First Ledger, and Gen3 Games, have reported no impact.
Users are urged to immediately update to the latest version of xrpl.js to mitigate the risk. The XRP Ledger Foundation provides instructions on how to rotate private keys and disable master keys if compromised. This incident highlights the significant risks associated with software supply chain attacks and the importance of maintaining robust security practices throughout the software development lifecycle.
A critical security vulnerability has been discovered in xrpl.js, the official JavaScript library for interacting with the XRP Ledger (XRPL) blockchain. The attack, identified as a sophisticated software supply chain compromise, allowed threat actors to steal users' private keys and gain access to their cryptocurrency wallets. The malicious code was introduced into versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of the npm package between 4:46 PM and 5:49 PM ET on April 21, 2025. These versions have since been removed.
The malicious code, a function named `checkValidityOfSeed`, was added to the `/src/index.ts` file. This function transmits stolen information, including private keys and seed phrases, to a malicious server (https://0x9c[.]xyz/xcm). The attackers attempted to mask the malicious activity by using an "ad-referral" user agent. According to Aikido Security, the compromised versions were uploaded at different times and received a total of 452 downloads. While this number is relatively small, the impact could be significant given the widespread use of xrpl.js for managing a large number of XRP wallets.
The attack appears to have involved compromising the npm account of a Ripple employee. The malicious commits were not present in the public GitHub repository, suggesting the attack occurred during the npm publishing process. The XRP Ledger Foundation and Ripple have since released updated versions (4.2.5 and 2.14.3) that resolve the vulnerability. They have also confirmed that the XRP Ledger codebase and GitHub repository itself remain unaffected. Several projects utilizing xrpl.js, including XRPScan, First Ledger, and Gen3 Games, have reported no impact.
Users are urged to immediately update to the latest version of xrpl.js to mitigate the risk. The XRP Ledger Foundation provides instructions on how to rotate private keys and disable master keys if compromised. This incident highlights the significant risks associated with software supply chain attacks and the importance of maintaining robust security practices throughout the software development lifecycle.
