In the wake of a significant security incident that affected the XRP Ledger’s JavaScript SDK, developers now have a green light to resume updates and integrations, with caution. Blockchain validator and well-known XRPL contributor Vet has confirmed that the compromised versions of the xrpl.js library have officially been removed, and a new secure release is now available.
The new version, xrpl.js 4.2.5, was pushed live just minutes before Vet’s update on X, offering a secure pathway for developers to continue building without putting user assets or application functionality at risk.
🚨 The compromised xrpl js npm versions are removed now and the issue resolved.
In addition there has been a new version released – 4.2.5 a couple minutes ago, updating to this version is safe.
Please still make sure your app libs are up to date on safe versions. pic.twitter.com/laetpluS5H
— Vet (@Vet_X0) April 22, 2025
Ripple’s Developer Ecosystem Breathes a Sigh of Relief
The development community has been on high alert since Vet first sounded the alarm earlier this week. Versions 4.2.1 and above of the xrpl.js package—an essential tool used by developers to interact with the XRP Ledger—were found to be compromised. The breach raised immediate concerns over the integrity of several active XRPL-based applications.
Vet’s initial warning urged developers and project leads to immediately halt usage of any affected versions. Failure to do so, he warned, could expose users to serious risks, including potential fund loss. The gravity of the situation prompted rapid action across the ecosystem, with developers auditing dependencies and halting updates until further notice.
Safe Version 4.2.5 Now Available
Today’s announcement that version 4.2.5 is safe marks a major step forward. According to Vet, the malicious code has been fully removed from the NPM registry, and developers are now advised to upgrade to this latest version immediately.
“Updating to 4.2.5 is safe,” Vet wrote. “Please still make sure your app libs are up to date on safe versions.”
Developers are encouraged to review their projects’ dependencies and deployment environments to ensure no remnants of the compromised versions remain.
We are on twitter, follow us to connect with us :- @TimesTabloid1
— TimesTabloid (@TimesTabloid1) July 15, 2023
A Wake-Up Call for Web3 Security
While the XRP Ledger remains one of the most battle-tested and secure blockchains in the industry, the incident serves as a stark reminder that even the most robust ecosystems are not immune to supply chain vulnerabilities. The quick identification and resolution of the issue underscore the XRPL community’s resilience and the importance of constant vigilance in Web3 development.
The rapid release of a clean version and transparency from contributors like Vet have helped mitigate wider damage and reestablish trust.
What Comes Next?
As the dust settles, all eyes now turn to ensuring no further fallout emerges from the compromised versions. Projects built on XRPL are advised to double-check their builds and communicate with users about any required security updates.
With the safe 4.2.5 version now live, development can resume—but the industry is left with a fresh reminder: Web3 moves fast, and its safety depends on proactive, informed action.
Disclaimer: This content is meant to inform and should not be considered financial advice. The views expressed in this article may include the author’s personal opinions and do not represent Times Tabloid’s opinion. Readers are urged to do in-depth research before making any investment decisions. Any action taken by the reader is strictly at their own risk. Times Tabloid is not responsible for any financial losses.
Follow us on Twitter, Facebook, Telegram, and Google News
