A security incident has been identified in the official XRP Ledger SDK distributed through the NPM registry. The compromise involved several unauthorized versions of the xrpl package, specifically versions 4.2.1 through 4.2.4, which contained a backdoor capable of stealing private keys from users.
The issue was first detected on April 21 by Aikido Security’s monitoring system. The compromised versions appeared on NPM without corresponding releases on the official GitHub repository, indicating unauthorized activity. This discrepancy prompted a deeper investigation that confirmed the presence of malicious behavior in the new versions.
🚨We have discovered a backdoor in the official #xrpl NPM package. This back door steals private keys and sends them to attackers. The affected versions 4.2.1 – 4.2.4, if you are using an earlier version, do not upgrade.#crypto #malware #npm pic.twitter.com/wshcTFKjbR
— Aikido Security (@AikidoSecurity) April 22, 2025
Nature of the Compromise
Aikido’s official blog post revealed that the malicious code was embedded within the SDK’s core files and was designed to extract private keys when certain operations were performed, such as creating a wallet.
These keys were transmitted to an external server under the attacker’s control. This implies that any application using one of the affected versions was at risk of leaking sensitive wallet credentials.
The attacker published multiple versions over a short period, gradually introducing the malicious code. This progression indicates a deliberate attempt to avoid detection by evolving the method of attack.
Investors in the crypto space must constantly be alert, as hackers stole millions of dollars from Ripple co-founder Chris Larsen in 2024. While these hackers have varying motives, the goal is often to steal funds from unsuspecting crypto holders.
The compromised versions include 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Aikido noted that any system that used the affected package during the window of compromise, from the evening of April 21 to midday of April 22, should be considered at risk.
We are on twitter, follow us to connect with us :- @TimesTabloid1
— TimesTabloid (@TimesTabloid1) July 15, 2023
What Happens Next?
Aikido also revealed that the issue has been fixed, as the maintainers of the XRPL package have since released secure versions, 4.2.5 and 2.14.3, which remove the backdoor and restore the integrity of the package. Developers are urged to verify which version of the package they are using and to upgrade immediately if they are on a compromised version.
If private keys were used with malicious versions, they should be treated as exposed. Assets linked to those keys should be moved to wallets generated after the compromised versions were removed.
2025 has seen notable attacks in the crypto space. In February, attackers stole $1.46 billion from ByBit, and with attackers now targeting the XRPL, investors need to stay alert to avoid loss of funds. Efforts are underway to identify the individual responsible for publishing the unauthorized packages and to determine whether any users were directly affected.
Disclaimer: This content is meant to inform and should not be considered financial advice. The views expressed in this article may include the author’s personal opinions and do not represent Times Tabloid’s opinion. Readers are urged to do in-depth research before making any investment decisions. Any action taken by the reader is strictly at their own risk. Times Tabloid is not responsible for any financial losses.
Follow us on X, Facebook, Telegram, and Google News
