Open Source 2025-04-21 · 1 day ·Cryptocurrency Theft, Credential Theft

xrpl.js npm package stole wallet seeds

Five malicious versions of the official Ripple JavaScript SDK were published to npm starting 2025-04-21 at 20:53 UTC by user mukulljangid after a maintainer credential compromise.

Story

On the evening of April 21, 2025, an attacker using the npm account mukulljangid published five malicious releases of xrpl, the official JavaScript SDK for the XRP Ledger, designed to siphon wallet seeds and private keys to attacker infrastructure the moment a developer instantiated a Wallet object.

The xrpl package is maintained by the XRP Ledger Foundation and used by wallets, exchanges, and applications that move money on the XRP network. At the time of the compromise, The Register reported the library was pulling more than 186,000 weekly downloads. A malicious release in that position does not need broad system access; it only needs to see the secret material developers hand the library by design.

Researchers at Aikido, who first flagged the activity, traced the compromise to a maintainer credential and tracked the attacker's iteration in real time. The first malicious versions, 4.2.1 and 4.2.2, injected the payload directly into the compiled JavaScript shipped to npm. By 4.2.3 and 4.2.4 the attacker had moved the change upstream into the TypeScript source so it would compile naturally into the build, a cleaner approach that survived rebuilds. A backport, 2.14.2, was published to cover the older release line; the project's advisory later noted that 2.14.2 was unlikely to install in practice because it broke compatibility with other 2.x releases. Across all five versions the payload posted wallet seeds, mnemonics, and private keys to 0x9c.xyz/xc.

The XRP Ledger Foundation pulled the malicious versions and shipped 4.2.5 and 2.14.3 the following day, telling affected users to treat any keys that had passed through an affected build as exposed: move funds, rotate keys where possible, and disable any potentially compromised master key. The incident was assigned CVE-2025-32965. As with other registry-side compromises of crypto-adjacent libraries, the size of the download count measures exposure, not confirmed theft.

Affected Artifacts

xrpl.js

npm · repository · Source Archive

Observed: 2025-04-21 to 2025-04-22
Compromised Versions: 4.2.1

4.2.2

4.2.3

4.2.4

2.14.2
Fixed: 4.2.5, 2.14.3
Evidence: distribution: npmjs.com/package/xrpl/v/4.2.1, distribution: npmjs.com/package/xrpl/v/4.2.2, distribution: npmjs.com/package/xrpl/v/4.2.3, distribution: npmjs.com/package/xrpl/v/4.2.4 , +6 more

The GitHub advisory recommends upgrading to 4.2.5 or 2.14.3 and rotating any private keys or secrets used with affected systems.
The Register reported xrpl weekly downloads exceeded 186,000 in April 2025; this is exposure context, not a confirmed victim count.

Incident Context

Motive: Cryptocurrency Theft
Cause: Compromised Credentials
Transitive: No
User Impact: 140000

External References

XRP Supply Chain Attack - Official npm Package Infected With Crypto-Stealing Backdooraikido.dev
XRP Supply Chain Attack - Official npm Package Infected With Crypto-Stealing Backdoorthehackernews.com
Official XRP Ledger npm package backdoored to steal private keysbleepingcomputer.com
Ripple NPM supply chain attack hunts for private keystheregister.com
Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2github.com

Source record: oss/attacks/xrpl.js/meta.yaml