A major security scare rocked the XRP community after a vulnerability was discovered in a recent version of the popular xrpl JavaScript library, which is widely used to interact with the XRP Ledger (XRPL).
The issue was flagged by Aikido Security researcher Charlie Eriksen and described as a “potentially catastrophic” supply chain attack.
xrpl JavaScript library vulnerability
On Tuesday, the XRP Ledger Foundation confirmed the vulnerability via an official disclosure. It urged all developers and projects using the affected versions (v4.2.1 through v4.2.4 and v2.14.2) to immediately update to v4.2.5.
The good news is that the vulnerability did not affect the XRP Ledger protocol or its GitHub repository, only the JavaScript SDK hosted on Node Package Manager (NPM).
The XRPL Foundation wrote: “To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or the Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately.”
According to Eriksen, the problem stems from a malicious backdoor that was quietly inserted into certain versions of the xrpl package published on NPM. This package, the official SDK for building applications on the XRPL, sees over 140,000 weekly downloads and is used by hundreds of thousands of apps and websites. Recall that smart contracts was integrated into the XRPL in 2024.
“This package is used by hundreds of thousands of applications and websites, making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem,” Eriksen warned.
The presence of a backdoor means that any user who interacts with the malicious versions could unknowingly expose their private keys, potentially leading to wallet breaches or unauthorized access.
Read also: Ripple’s Hidden Road acquisition a defining moment for XRP Ledger and XRP: Ripple CTO
Also, Eriksen reported that Aikido’s system, Aikido Intel, flagged five suspicious package versions late on April 21. These versions were live briefly, but the potential fallout could be wide-reaching.
Notably, only those who installed or updated to the malicious package versions are potentially at risk. Fortunately, several XRPL-related projects, including Xaman Wallet, XRPScan, and First Ledger, confirmed they did not adopt the compromised versions and remain secure.
Still, the XRPL Foundation and Eriksen advised caution, noting that if there’s any suspicion that a compromised version was used, developers and users should assume all private keys may be compromised. In such cases, immediately transferring assets to a new wallet and discarding old keys is the safest action.
Read also: XRP Ledger AMM Liquidity Reaches New Highs Amid XRP Price Decline.
XRPL engineers patch vulnerability issues
Per a follow-up update, XRPL engineers patched the vulnerability and rolled out clean versions of the SDK, urging projects and developers to update to v.4.2.5 of xrpl.js. A full post-mortem is expected soon to shed light on how the malicious code was published in the first place.
The XRPL Foundation noted: “We’ve deprecated the compromised xrpl.js versions (4.2.1-4.2.4 and v2.14.2) on npm. A detailed post-mortem will be shared soon. Ensure you’re using v4.2.5 or v2.14.3.” For developers using XRPL in their projects, this is a stark reminder to audit dependencies regularly and stay on top of security alerts.
Despite the brief scare, the XRPL native token, XRP, has increased over 8% in the past 24 hours amid broader crypto market gains, indicating that investor confidence remains strong. Adding to the bullish sentiment is the launch of XRP futures trading on Coinbase Derivatives.
