The XRP Ledger Foundation has patched a critical vulnerability within its official JavaScript SDK that could have allowed attackers to steal private keys and drain cryptocurrency wallets.
On April 22, the XRP Ledger Foundation released an updated version of the XRP Ledger npm package, removing the compromised code and restoring safe functionality for developers building on the network.
The xrpl npm package is the official JavaScript/TypeScript library for interacting with the XRP Ledger. Developers use it to connect to the network, manage wallets, send transactions, and build decentralized applications using XRPL functionalities.
The update came just hours after blockchain security firm Aikido flagged suspicious activity in five newly published versions of the library.
According to Aikido’s report, bad actors had published fake versions of the package to npm, starting with 4.2.1. These versions did not match any official releases on GitHub, an early red flag that helped Aikido’s automated systems detect the anomaly.
Notably, bad actors had “put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets.”
These rogue packages included hidden code that quietly siphoned private keys by pinging a malicious domain 0x9c.xyz controlled by them. The malicious function was triggered whenever a new wallet was created, effectively handing over control of funds to the attacker.
Aikido labelled the vulnerability as “potentially catastrophic,” calling it one of the worst kinds of supply chain attacks in crypto.
Since the xrpl package sees over 140,000 weekly downloads and is embedded in hundreds of thousands of websites and apps, the backdoor had the potential to compromise a massive swath of the XRP ecosystem almost silently.
The attacker was also seen refining the malicious packages with each release. Early versions (4.2.1 and 4.2.2) included changes only in built JavaScript files, likely to avoid triggering suspicion during typical code reviews. Later versions, like 4.2.3 and 4.2.4, injected the malicious code directly into the TypeScript source files, allowing the payload to persist across builds.
Aikido researchers urged users to immediately stop using the affected versions and rotate any private keys or seed phrases that may have been exposed. They also recommended scanning network logs for connections to the domain 0x9c.xyz and upgrading to the patched versions, 4.2.5 or 2.14.3, to ensure continued security.
In follow-up updates, the foundation confirmed that the compromised packages had been removed and that key projects, such as XRPScan, First Ledger, and Gen3 Games, were not affected.
The incident didn’t rattle traders; XRP was up 7.4% over the past 24 hours, trading at $2.24 at the time of writing.
As previously reported by crypto.news, the XRP Ledger faced another major incident earlier this year when a disruption in transaction validation halted the network for nearly an hour on Feb. 5. However, no data loss was reported during the incident.
