XRP Ledger SDK Breach Exposes Users to Private Key Theft

A security breach has been uncovered in the official XRP Ledger SDK, distributed through the NPM registry. The compromise involved unauthorized versions of the xrpl package, specifically versions 4.2.1 through 4.2.4, which contained a backdoor designed to steal private keys from users. The issue was first detected on April 21 by Aikido Security’s monitoring system, which flagged the discrepancy between the versions on NPM and the official GitHub repository, indicating unauthorized activity. This prompted a deeper investigation that confirmed the presence of malicious behavior in the new versions.

The malicious code was embedded within the SDK’s core files and was designed to extract private keys during certain operations, such as creating a wallet. These keys were then transmitted to an external server controlled by the attacker, putting any application using the affected versions at risk of leaking sensitive wallet credentials. The attacker published multiple versions over a short period, gradually introducing the malicious code, which suggests a deliberate attempt to avoid detection by evolving the method of attack.

Ask Aime: How does the XRP security breach affect cryptocurrency users' privacy and trust?

Investors in the crypto space must remain vigilant, as hackers have previously stolen millions of dollars from high-profile figures such as Ripple co-founder Chris Larsen in 2024. The compromised versions include 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Aikido noted that any system that used the affected package during the window of compromise, from the evening of April 21 to midday of April 22, should be considered at risk.

Aikido has revealed that the issue has been addressed, as the maintainers of the XRPL package have released secure versions, 4.2.5 and 2.14.3, which remove the backdoor and restore the integrity of the package. Developers are urged to verify which version of the package they are using and to upgrade immediately if they are on a compromised version. If private keys were used with malicious versions, they should be treated as exposed, and assets linked to those keys should be moved to wallets generated after the compromised versions were removed.

Efforts are underway to identify the individual responsible for publishing the unauthorized packages and to determine whether any users were directly affected. The crypto space has seen notable attacks in 2025, including a $1.46 billion theft from ByBit in February, highlighting the need for investors to stay alert to avoid loss of funds.