The XRP Ledger Foundation disclosed that versions 4.2.1 through 4.2.4 and 2.14.2 of the xrpl.js JavaScript package were laced with a backdoor that could siphon private keys to an attacker’s server.
The Bug threatened hundreds of thousands of projects using the library, until developers patched the code hours later.
The Discovery
Security researcher Charlie Eriksen of Aikido Security spotted unusual alerts from his monitoring system late on April 21.
He noticed five new releases of the xrpl package, the official SDK for the XRP Ledger, with malicious code hidden in both built JavaScript and source TypeScript files. His warning triggered swift action from the XRP Ledger team.
What Went Wrong?
The attacker first slipped a backdoor into the compiled JavaScript. When that approach drew too much attention, they moved on to embedding it directly in TypeScript, only to compile it again with the same hidden payload.
The result was a supply chain attack capable of capturing private keys from any developer or application that installed the compromised versions.
Also Read: Ripple and BCG Forecast $18.9 Trillion Market for Crypto & Tokenized Assets by 2033
Immediate Response
XRP Ledger engineers pulled the rogue versions within hours and pushed safe updates, which were v4.2.5, to override the tainted releases.
In a public statement, the Foundation stressed that the vulnerability only affected the xrpl.js SDK, not the core ledger or its GitHub repository. Developers were urged to upgrade immediately to the new release.
Broader Impact
With over 140,000 weekly downloads, xrpl.js underpins apps and services across the XRP ecosystem. Anyone using the infected packages is advised to treat their private keys as compromised and rotate them without delay.
Most end users, however, remain safe, as popular wallets like Xumm and other well-known apps do not rely directly on these raw SDK versions.
Ledger Security Remains Intact
Mayukha Vadari, senior software engineer at RippleX, confirmed that the XRP Ledger itself was never at risk. “The ledger’s security is sound,” he said.
“Only the developer kit was infected, and we have removed the malicious code.” Aikido Security echoed this reassurance: the network continued processing transactions normally throughout the incident.
Next Steps and Lessons Learned
The Foundation plans to publish a full post-mortem once it completes its investigation into how the attacker slipped past existing controls.
In the meantime, developers should enable supply chain safeguards, such as package checksums and dependency audits, to prevent similar threats.
This incident underscores how a small change in a widely used library can have far-reaching consequences. While the XRP Ledger team’s quick detection and fix prevented a larger disaster, it highlights the need for constant vigilance in open-source ecosystems.
By adopting stronger vetting practices, blockchain projects and developers can better protect themselves against stealthy supply chain attacks.
Also Read: Ripple And SEC File Joint Motion To Pause Dispute For Negotiated Resolution