Recently, XRP faced a major security breach involving one of XRP Ledger’s JavaScript libraries. The Ripple npm JavaScript library named xrpl.js was compromised in a software supply chain attack which exposed users’ private keys.
The security flaw was flagged by Aikido Security and was confirmed by Ripple CTO David Scwartz. The issue affects specific versions of the Node Package Manager (NPM) library, but major XRP services like Xaman Wallet and XRPScan confirmed they were unaffected.
The affected versions were 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. However, the issue has been fixed in newer versions 4.2.5 and 2.14.3.
Peter Todd, a Bitcoin developer pointed out that a decade after he warned of security risks in Ripple’s software due to lack of proper security measures like PGP signing, there’s a Ripple backdoor due to an npm compromise. He criticized Ripple for not using a secure method (PGP signatures) to verify their code, which could have prevented this attack.
Todd also admitted that his own Python Library is not PGP signed for most users due to PyPi phasing out PGP signatures. He criticised the software industry as ‘incompetent’ stressing that he has no control over it.
A user named “mukulljangid” introduced a malicious code into the xrpl.js package starting April 21, 2025 and also introduced a new function to steal private keys and send them to an external domain. The attacked gained access through a compromised Ripple employee’s npm account. Besides, the attacker used multiple versions in a short time to avoid detection, but there is no evidence of a backdoor in the GitHub repository.
The XRP Ledger foundation issued a clarification and confirmed that compromised versions of xrpl.js have been removed. Developers are advised to use versions 4.2.5 or 2.14.3, with a detailed report coming soon.
The incident has sparked concerns over software security, especially in crypto where customer support and huge sums of money are involved.
