XRP Ledger SDK Compromised by Backdoor Exploit

The XRP Ledger Foundation has warned about a security vulnerability in the official JavaScript SDK, which interacts with the XRPL.

On April 21, Aikido Security revealed that several versions of its Node Package Manager (NPM) software were compromised and published, containing a backdoor that could steal private keys from users.

Security Flaw in Developer Kit

The XRP Ledger Foundation confirmed the issue in an April 22 statement:

“Earlier today, a security researcher from @AikidoSecurity identified a serious vulnerability in the xrpl npm package (v4.2.1-4.2.4 and v2.14.2).”

In response to the breach, Wietse Wind, founder and CEO of XRPL Labs, reassured users that Xaman Wallet was not affected by the flaw. Wind explained that the product does not use xrpl.js but instead relies on its xrpl-client and xrpl-accountlib libraries, which separate wallet connectivity from the signing process.

He also detailed how the incident unfolded, stating that malicious code in the xrpl.js package sent generated or imported private keys to an external server controlled by the attacker. This enabled hackers to collect key pairs, wait for the wallets to be funded, and then steal the assets.

Wind urged anyone who had recently created an XRP wallet using the API or related tools to assume it had been compromised and to transfer their funds immediately.

He emphasized that such attacks can happen to any software relying on third-party libraries, and that developers must take precautions. He also advised limiting publishing access, scanning code before release, avoiding auto-publishing pipelines, and not managing private keys directly unless fully prepared to handle the associated risks.

XRPL Issues Urgent Patch

Following the incident, the XRP Ledger Foundation has released a clean version of the NPM package, removing the malicious code and ensuring the SDK is safe for developers to use again.

Aikido Security discovered the vulnerability after its automated threat monitoring system flagged suspicious updates to the XRPL package on NPM. These updates, published by a user named “mukulljangid”, included five new versions that did not match any official releases on the XRP Ledger’s GitHub repository.

After investigating, Aikido found that the compromised versions contained a malicious function called checkValidityOfSeed, which sent private keys to the hacker’s server at 0x9c[.]xyz, when users created a wallet that could allow them to steal their crypto.

Early versions (v4.2.1 and v4.2.2) hid the backdoor in compiled JavaScript files, while later versions (v4.2.3 and v4.2.4) embedded the malicious code directly in TypeScript source files, making it harder to detect. The compromised packages also removed development tools like Prettier and build scripts from the package.json file, showing intentional manipulation.

The incident comes only weeks after Ripple announced a $1.25 billion acquisition of prime brokerage firm Hidden Road, a move experts believe will turn XRPL into a major conduit for institutional funds.

According to Ripple CEO Brad Garlinghouse, the network will be used for post-trade settlements on some transactions, potentially turning it into a corporate-scale clearing and credit platform.