Ripple's xrpl.js NPM Package Compromised in Supply Chain Attack Targeting XRP Wallets

A critical supply chain attack has compromised Ripple’s official xrpl.js NPM package, injecting malicious code designed to steal XRP wallet private keys. The backdoored versions (2.14.2 and 4.2.1-4.2.4) were downloaded approximately 452 times before the issue was detected and patched in versions 4.2.5 and 2.14.3¹. This incident marks another high-profile attack against cryptocurrency infrastructure through npm package hijacking.

Technical Analysis of the Compromise

The attackers introduced a malicious checkValidityOfSeed() function that exfiltrated wallet seeds and private keys to a remote server (https://0x9c[.]xyz/xcm) using HTTP requests disguised with an “ad-referral” user agent². Forensic analysis suggests the compromise occurred during the NPM publishing process rather than through GitHub repository access, as the official GitHub repo remained unaffected throughout the incident³.

Security researchers identified the attacker used the npm account “mukulljangid,” which some sources suspect may belong to a Ripple employee⁴. The malicious versions were available for approximately 48 hours before being detected, during which they were downloaded by automated build systems and development environments integrating the xrpl.js library.

Impact and Response

The XRP Ledger Foundation confirmed that major wallet applications like Xaman Wallet and blockchain explorers such as XRPScan were not affected, as they use different dependency versions⁵. However, any applications or services that automatically updated to the compromised versions are at risk of having their XRP funds stolen.

Ripple and the XRP Ledger Foundation have taken the following mitigation steps:

Released clean versions (4.2.5 and 2.14.3) with the backdoor removed
Published security advisories through npm and GitHub
Recommended key rotation for potentially exposed wallets

Broader Security Implications

This attack follows a pattern of similar supply chain compromises targeting cryptocurrency libraries, including recent incidents involving Ethereum and Solana packages⁶. The incident highlights several ongoing challenges in open-source package security:

Challenge	Example from This Incident
Package maintainer account security	Suspected employee account compromise
Automated trust in version updates	452 downloads before detection
Financial motivation for attacks	Direct wallet draining capability

Security teams should implement additional verification for financial application dependencies, including:

Strict version pinning for cryptocurrency libraries
Automated checks for unexpected network traffic from development dependencies
Regular audits of third-party code in financial applications

Detection and Remediation

Organizations using xrpl.js should immediately verify their installed version and upgrade to 4.2.5 if running any affected versions. The following indicators of compromise (IOCs) have been identified:

HTTP requests to 0x9c[.]xyz with ad-referral headers
Unexpected network activity from the checkValidityOfSeed() function
Modified package checksums for versions 2.14.2 and 4.2.1-4.2.4

For wallets that may have been exposed, the XRP Ledger Foundation recommends using their key management tools to rotate compromised keys and disable master keys if they were exposed⁷.

Conclusion

The xrpl.js supply chain attack demonstrates the growing sophistication of threats targeting cryptocurrency ecosystems through developer tools. While the immediate impact appears limited due to quick detection, the incident serves as a reminder of the vulnerabilities inherent in open-source package distribution systems, particularly for financial applications.

Security teams should review their dependency management practices, implement additional monitoring for sensitive libraries, and establish procedures for rapid response to similar incidents. The cryptocurrency development community will need to address these systemic risks as attackers continue to focus on this high-value target area.