Aikido Security disclosed a vulnerability in the XRP Ledger’s (XRPL) official JavaScript SDK, revealing that multiple compromised versions of the XRPL Node Package Manager (NPM) package were published to the registry starting April 21.
The affected versions, v4.2.1 through v4.2.4 and v2.14.2, contained a backdoor capable of exfiltrating private keys, posing a severe risk to crypto wallets that relied on the software.
An NPM package is a reusable module for JavaScript and Node.js projects designed to simplify installation, updates, and removal.
According to Aikido Security, its automated threat monitoring platform flagged the anomaly at 8:53 PM UTC on April 21 when NPM user “mukulljangid” published five new versions of the XRPL package.
These releases did not match any tagged releases on the official GitHub repository, prompting immediate suspicion of a supply chain compromise.
Malicious code embedded in the wallet logic
Aikido’s analysis found that the compromised packages contained a function called checkValidityOfSeed, which made outbound calls to the newly registered and unverified domain 0x9c[.]xyz.
The function was triggered during the instantiation of the wallet class, causing private keys to be silently transmitted when creating a wallet.
Early versions (v4.2.1 and v4.2.2) embedded the malicious code in the built JavaScript files. Subsequent versions (v4.2.3 and v4.2.4) introduced the backdoor into the TypeScript source files, followed by their compilation into production code.
The attacker appeared to iterate on evasion techniques, shifting from manual JavaScript manipulation to deeper integration in the SDK’s build process.
The report stated that this package is used by hundreds of thousands of applications and websites, describing the event as a targeted attack against the crypto development infrastructure.
The compromised versions also removed development tools such as prettier and scripts from the package.json file, further indicating deliberate tampering.
XRP Ledger Foundation and ecosystem response
The XRP Ledger Foundation acknowledged the issue in a public statement published via X on April 22. It stated:
“Earlier today, a security researcher from @AikidoSecurity identified a serious vulnerability in the xrpl npm package (v4.2.1–4.2.4 and v2.14.2). We are aware of the issue and are actively working on a fix. A detailed post-mortem will follow.”
Mark Ibanez, CTO of XRP Ledger-based Gen3 Games, said his team avoided the compromised package versions with a “bit of luck.”
He added:
“Our package.json specified ‘xrpl’: ‘^4.1.0’, which means that, under normal circumstances, any compatible minor or patch version—including potentially compromised ones—could have been installed during development, builds, or deployments.”
However, Gen3 Games commits its pnpm-lock.yaml file to version control. This practice ensured that exact versions, not newly published ones, were installed during development and deployment.
Ibanez emphasized several practices to mitigate risks, such as always committing the “lockfile” to version control, using Performant NPM (PNPM) when possible, and avoiding the use of the caret (^) symbol in package.json to prevent unintended version upgrades.
The software developer kit maintained by Ripple and distributed through NPM receives over 140,000 downloads per week, with developers widely using it to build applications on the XRP Ledger.
The XRP Ledger Foundation removed the affected versions from the NPM registry shortly after the disclosure. Still, it remains unknown how many users had integrated the compromised versions before the issue was flagged.
Mentioned in this article
