SDK for XRP Ledger Secretly Penetrated by Backdoor Hack
Fresh Take:
The XRP Ledger community was sent into an uproar when a security flaw was discovered in the official JavaScript SDK, used for interacting with the XRPL. On April 21, cybersecurity firm Aikido Security exposed a serious vulnerability in the xrpl npm package, threatening the security of XRP wallets.
On April 22, the XRP Ledger Foundation confirmed the issue in a statement, advising that several versions of their Node Package Manager (NPM) software were compromised and published with a backdoor capable of stealing private keys from users.
SDK Security Flaw Exposed
Uncovered by Aikido Security, the compromised versions of the xrpl npm package (v4.2.1-4.2.4 and v2.14.2) contained a malicious function, , which covertly transmitted private keys to an attacker's server during wallet creation. This allowed hackers to gather key pairs, exploit unfunded wallets, and steal assets.
Concerned users need not fret, though, as Wietse Wind, founder and CEO of XRPL Labs, reassured that Xaman Wallet was not impacted by the security flaw. Xaman Wallet differentiates itself by relying on its xrpl-client and xrpl-accountlib libraries, decoupling wallet connectivity from the signing process.
Aikido's Findings and Impact
Aikido Security discovered the vulnerability after its threat monitoring system flagged suspicious updates to the XRPL package on NPM. These updates, disguised as official releases but published by a user named "mukulljangid", contained the malicious function.
Dangerous as it was, the backdoor was cunningly hidden in the compromised packages. Earlier versions (v4.2.1 and v4.2.2) hid the threat in compiled JavaScript files, while later versions (v4.2.3 and v4.2.4) concealed the malicious code within TypeScript source files, making it harder to detect.
Attackers also eliminated development tools and obfuscated the tampering, making audits and detection difficult. The compromised packages even lacked essential build scripts from the package.json file.
The incident served as a stark reminder that supply chain attacks can imperil many downstream projects and users alike. Although the attack only influenced the NPM-distributed xrpl.js SDK, thousands of XRP wallets using the compromised SDK versions were potentially at risk.
Rapid Response and Patch
Following the incident, the XRP Ledger Foundation acted promptly to release a safe version of the NPM package, removing the malicious code and ensuring the SDK was secure for developers once again. Developers were urged to immediately update to the secure release and audit their dependencies.
Aware users and developers should assume exposed private keys were compromised and transfer their assets to new wallets with safe credentials. Despite this, several major XRP projects remained unaffected thanks to cautious dependency management.
A Threat No More
The incident exposed the critical vulnerability of depending on third-party libraries, stressing the importance of taking precautions. Developers are advised to limit publishing access, scan code before release, avoid auto-publishing pipelines, and never manage private keys directly unless they are fully prepared to handle the associated risks.
All things considered, the compromised xrpl.js JavaScript SDK backdoor incident significantly jeopardized the security of XRP wallets. Luckily, swift detection, removal of malicious packages, and the release of a secure SDK version helped lessen the overall harm. Nevertheless, developers and users must remain vigilant, refreshing their dependencies and fortifying their accounts to protect themselves in the XRP ecosystem.
[1] XRP Ledger Foundation Official Statement: [https://forum.xrpl.org/t/xrpl-security-alert-xrpl-npm-package-vulnerability/21718][2] Aikido Security Advisory: [https://aikidosecurity.github.io/advisories/2025/04/22/xrpl_js_npm_package_backdoor.html][3] Detailed Analysis of the Compromised xrpl.js Package: [https://downloads.aikidosecurity.com/static/xrpl_npm_backdoor_analysis.pdf][4] XRP Ledger Foundation GitHub: [https://github.com/XRPL]/xrpl.js][5] XRPL Developers Response: [https://forum.xrpl.org/t/xrpl-javascript-sdk-and-npm-package-security-incident/21722][6] XRP Ledger Foundation: [https://xrplf.org/][7] Aikido Security: [https://aikidosecurity.com/][8] XRPL Labs: [https://xrpl.org/]
- The recent finding by Aikido Security exposed a backdoor in the xrpl npm package, threatening the security of XRP wallets, which are crucial components of the XRP Ledger ecosystem.
- Crypto finance and technology ambients should take note of this incident, as it serves as a stark reminder that even third-party libraries like TypeScript can harbor security vulnerabilities.
- Developers must be cautious when relying on these libraries, and they should limit publishing access, scan code before release, and avoid auto-publishing pipelines to secure their projects.
- In response to the malicious xrpl.js SDK backdoor, the XRP Ledger Foundation swiftly released a secure version of the NPM package, ensuring the SDK's security for developers once again.
- Users and developers should always keep their dependencies updated and be vigilant about potential vulnerabilities, as cybersecurity breaches can jeopardize cryptocurrency assets.
