A recent attack has compromised the Ripple cryptocurrency npm JavaScript library, xrpl.js, to steal private keys. The backdoor was introduced by unknown threat actors across several versions of the package, including 4.2.1 to 4.2.4 and 2.14.2. The malicious code, which targets users’ cryptocurrency wallets, has been fixed in versions 4.2.5 and 2.14.3. Over 2.9 million downloads of xrpl.js were affected by the attack, making it a significant security breach in the crypto space.
The backdoor was introduced through a new function called checkValidityOfSeed, which transmits stolen information to an external domain. This attack began on April 21, 2025, and it is believed that the npm account of a Ripple employee was compromised. The attacker attempted to bypass detection by releasing multiple versions in a short time. However, there is no evidence suggesting that the GitHub repository hosting the library was backdoored.
The attacker is suspected to have stolen a developer’s npm access token, giving them control to tamper with the library. This breach highlights the vulnerability of software supply chains, particularly when a trusted package is targeted. The Ripple team and cybersecurity experts have stressed the importance of addressing such attacks quickly to protect users’ private keys and wallets.
Users of xrpl.js are urged to update to the latest versions (4.2.5 and 2.14.3) to prevent further exploitation. The XRP Ledger Foundation has confirmed that this issue does not impact the XRP Ledger codebase or its GitHub repository. This attack serves as a reminder of the potential risks in open-source software development, emphasizing the need for rigorous security measures.