xrpl.js
xrpl.js npm package backdoored to steal XRP wallet seeds
Five malicious versions of the official Ripple JavaScript SDK were published to npm starting 2025-04-21 at 20:53 UTC by user `mukulljangid` after a maintainer credential compromise. The backdoor exfiltrated wallet seed phrases, mnemonics, and private keys via HTTP POST to `0x9c.xyz/xc` whenever Wallet objects were instantiated or derived. Early versions (4.2.1-4.2.2) injected the payload into compiled JavaScript; later versions (4.2.3-4.2.4) added it to TypeScript source so the backdoor compiled cleanly into builds. Aikido Intel detected the publishes and Ripple released clean v4.2.5 within ~24 hours.
- Date
- 2025-04-21 to 2025-04-22
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Cryptocurrency theft
- Cause
- Compromised credentials
What Was Affected
Package
xrpl.js
Languagejavascript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/XRPLF/xrpl.js
Compromised Versions
Incident Context
- Motive
- Cryptocurrency theft
- Attribution
- Unknown attacker
- Transitive
- No
- User Impact
- 140000
- Observed Duration
- 1 days
External References
Source Data
Source record: oss/xrpl.js/meta.yaml