The Ripple Cryptocurrency NPM JavaScript library, named Xrpl.js, is compromised by unknown threat actors as part of a software supply chain attack designed to harvest and remove user private keys.
Malicious activity has been found to affect five different versions of packages: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. This issue is explained in versions 4.2.5 and 2.14.3.
Xrpl.js is a popular JavaScript API for interacting with the XRP Ledger blockchain, also known as the Ripple Protocol, a cryptocurrency platform launched by Ripple Labs in 2012. The package has been downloaded over 2.9 million times so far, attracting over 135,000 weekly downloads.
“The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who could put in a backdoor and steal private cryptocurrency keys and access the cryptocurrency wallet.”
It has been found that malicious code changes have been introduced from April 21, 2025 by a user named “Mukulljangid”. The threat actor introduces a new function named CheckValiditivityofSeed, designed to send stolen information to an external domain (“0x9c(.)xyz”).
It is worth noting that “Mukulljangid” is likely to belong to a Ripple employee. This indicates that the NPM account has been hacked and stopped the supply chain attack.
The attackers are said to have tried different ways of sneaking into the backdoor, trying to avoid detection, as evident by the various versions released in a short period of time. There is no evidence that the associated GitHub repository has become the background.
It is not clear who is behind the attack, but it is believed that threat actors were able to steal the developer’s NPM access token and tamper with the library on a per-Aikido basis.
In light of the incident, users relying on the XRPL.JS library are advised to update their instances to the latest versions (4.2.5 and 2.14.3) to mitigate potential threats.
“This vulnerability lies in Xrpl.js, a JavaScript library that allows you to interact with XRP Ledger.” The XRP Ledger Foundation stated in an X post.
update
XRPL.JS supply chain compromises are assigned the CVE identifier CVE-2025-32965 (CVSS score: 9.3).
“Versions 4.2.1, 4.2.2, 4.2.3 and 4.2.4 of XRPL.JS were compromised and contained malicious code designed to remove private keys,” according to GitHub advisory. “If you are using any of these versions, it will stop immediately and rotate any private keys or secrets used by the affected system.”
“Version 2.14.2 is also malicious, but it’s not compatible with other 2.x versions, making it less likely to lead to exploitation. To secure funding, we’ll carefully consider whether this supply chain attack could have compromised the key, and send funds to protect the wallet to mitigate it, and rotate the key.”
