A new version of the xrpl package, a JavaScript library for interacting with the XRP Ledger, appears to have been released with a security issue, according to a disclosure from the XRP Ledger Foundation on Tuesday. Charlie Eriksen, the Aikido Security malware researcher who identified the vulnerability, said it could lead to a “potentially catastrophic” supply chain attack on the system.
XRP Ledger engineers have seemingly addressed the concern by releasing updated versions of the code to “override the compromised packages and recommend that anyone using the impacted JavaScript libraries (v4.2.1-4.2.4 and v2.14.2) update immediately. The team also said it would release a post-mortem of the issue once it had a better understanding of how it was released.
“To clarify: This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger. It does NOT affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately,” the foundation wrote in a separate post.
XRPL is a blockchain launched by Ripple Labs over a decade ago for cross-border payments and tokenization.
According to Eriksen, a backdoor was inserted into recently released versions of a software-development kit used to build applications and interact with the XRP Ledger. The issue could conceivably enable malicious attackers to steal users’ private keys and potentially gain unauthorized access to their wallets, though it’s unclear if anyone has been impacted.
“At 21 Apr, 20:53 GMT+0, our system, Aikido Intel started to alert us to five new package version of the xrpl package. It is the official SDK for the XRP Ledger, with more than 140.000 weekly downloads,” Eriksen wrote. “This package is used by hundreds of thousands of applications and websites making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem.”
He noted that the potential attack would be limited to third-party services that updated to the malicious versions within a short window. The backdoor also appears to be limited only to versions of the code on Node Package Manager (NPM), a GitHub-like tool used by developers to share reusable JavaScript packages for Node.js projects. Several projects related to XRP, including Xaman Wallet and XRPScan, noted that their services are likely secure.
“If you believe that you may have been impacted, it’s important to assume that any seed or private key that was processed by the code has been compromised,” Eriksen said. “Those keys should no longer be used, and any assets associated with them should be moved to another wallet/key immediately.”
XRP, the native cryptocurrency of the network used to pay fees, is up 4% on Tuesday amid a broader market rally, according to The Block’s price page.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Trade Crypto On Coinhub Exchange
Trade Crypto On Coinhub Exchange
Stay ahead of the market by turning news insights into trading opportunities. With Coinhub Exchange, you can seamlessly buy, sell, and manage your digital assets, all in one secure platform. Take advantage of real-time market insights, deep liquidity, and fast execution for your favorite cryptocurrencies. Don’t just read about it — trade crypto now!
Disclaimer
The content of this article shown by Coinhub News, powered by The Block, is for informational purposes only and should not be construed as financial, legal, tax, or investment advice. Coinhub News and its affiliates are not a licensed financial advisor, legal advisor, broker, or tax advisor, and ... should not be considered as professional advice or a recommendation to engage in any specific investment, legal decision, or financial transaction. Cryptocurrency markets are highly speculative and volatile. Readers should perform their own independent research and consult with a qualified professional before making any financial or legal decisions. The opinions expressed in this article are those of the author and do not necessarily represent the views or opinions of the Company of its affiliates. Additionally, the Company does not make any representations or warranties regarding the accuracy, timeliness, reliability, or completeness of any information in this article. By accessing this content, you acknowledge that any reliance on the information contained in this article is solely at your own risk. The Company is not responsible for any financial losses, legal disputes, or other damages that may arise from reliance on this content or from any investment or legal decisions based on the information provided. Investing in cryptocurrencies involves substantial risks, including the risk of losing your entire investment, and you should carefully consider whether it is appropriate for your circumstances.
Read more
