Ripple XPRL Official NPM Package Hijacked To Inject Private Key Stealing Malware

A significant supply chain attack targeting cryptocurrency users. The official XRPL (Ripple) NPM package, which serves as the JavaScript SDK for the XRP Ledger, was compromised with malicious code designed to steal cryptocurrency private keys, potentially affecting hundreds of thousands of applications.

On April 21, 2025, at 20:53 GMT, Aikido Intel’s security monitoring system detected five unusual new package versions of the xrpl library, which averages more than 140,000 weekly downloads.

Further investigation confirmed that these versions contained backdoor code capable of stealing cryptocurrency private keys and gaining unauthorized access to users’ digital wallets.

“This package is used by hundreds of thousands of applications and websites, making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem,” warned Charlie Eriksen, a malware researcher at Aikido Security.

The security team quickly identified that a user named “mukulljangid” had released the suspicious package versions. This account is believed to belong to a Ripple employee whose credentials were compromised.

The malicious versions—4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2—did not correspond with any official releases on the project’s GitHub repository, which immediately raised red flags.

Technical analysis revealed a suspicious function checkValidityOfSeed embedded in the package. This function was designed to send private key information to an external domain registered only in January 2025—0x9c[.]xyz.

The malicious code would activate when users created new wallets or interacted with existing ones, sending sensitive cryptographic information to the attackers.

“The attacker was actively trying different ways to insert the backdoor while remaining as hidden as possible,” Eriksen explained. “Going from manually inserting the backdoor into the built JavaScript code, to putting it into the TypeScript code and then compiling it down into the built version”.

The XRP Ledger Foundation has confirmed that the vulnerability only affects the xrpl.js library and not the XRP Ledger codebase or GitHub repository itself.

In response to the discovery, clean versions (4.2.5 and 2.14.3) were quickly released to replace the compromised packages.

Security experts estimate that the malicious package versions were downloaded approximately 450 times before being detected and removed.

Users who may have installed any of the compromised packages between April 21 and April 22 are urged to inspect their network logs for outbound connections to the suspicious domain.

This incident highlights the growing threat of software supply chain attacks targeting cryptocurrency infrastructure. Similar incidents have occurred in the past, including the UAParser.js compromise in 2021, which impacted a package with millions of weekly downloads.

Organizations and developers working with XRP are advised to immediately update to the latest package versions and assume that any seed or private key processed by the compromised versions has been exposed.

Financial institutions and cryptocurrency service providers should also conduct thorough security audits of their dependencies to ensure they haven’t been affected by this or similar supply chain attacks.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post Ripple XPRL Official NPM Package Hijacked To Inject Private Key Stealing Malware appeared first on Cyber Security News.