XRP Ledger SDK Vulnerability Exposed Private Keys

Aikido Security recently uncovered a significant vulnerability in the XRP Ledger’s (XRPL) official JavaScript SDK. The issue involved multiple compromised versions of the XRPL Node Package Manager (NPM) package, which were published to the registry starting April 21. The affected versions, v4.2.1 through v4.2.4 and v2.14.2, contained a backdoor designed to exfiltrate private keys, posing a severe risk to crypto wallets that relied on the software.

An NPM package is a reusable module for JavaScript and Node.js projects, designed to simplify installation, updates, and removal. Aikido Security’s automated threat monitoring platform flagged the anomaly at 8:53 PM UTC on April 21 when NPM user “mukulljangid” published five new versions of the XRPL package. These releases did not match any tagged releases on the official GitHub repository, raising immediate suspicion of a supply chain compromise.

Aikido’s analysis revealed that the compromised packages contained a function called checkValidityOfSeed, which made outbound calls to the newly registered and unverified domain 0x9c[.]xyz. This function was triggered during the instantiation of the wallet class, causing private keys to be silently transmitted when creating a wallet. Early versions (v4.2.1 and v4.2.2) embedded the malicious code in the built JavaScript files, while subsequent versions (v4.2.3 and v4.2.4) introduced the backdoor into the TypeScript source files, followed by their compilation into production code. The attacker appeared to iterate on evasion techniques, shifting from manual JavaScript manipulation to deeper integration in the SDK’s build process.

The report stated that this package is used by hundreds of thousands of applications and websites, describing the event as a targeted attack against the crypto development infrastructure. The compromised versions also removed development tools such as prettier and scripts from the package.json file, further indicating deliberate tampering.

The XRP Ledger Foundation acknowledged the issue in a public statement published on April 22. It stated: “Earlier today, a security researcher from Aikido Security identified a serious vulnerability in the xrpl npm package (v4.2.1–4.2.4 and v2.14.2). We are aware of the issue and are actively working on a fix. A detailed post-mortem will follow.”

Mark Ibanez, CTO of XRP Ledger-based Gen3 Games, noted that his team avoided the compromised package versions with a “bit of luck.” He explained that their package.json specified ‘xrpl’: ‘^4.1.0’, which means that, under normal circumstances, any compatible minor or patch version—including potentially compromised ones—could have been installed during development, builds, or deployments. However, Gen3 Games commits its pnpm-lock.yaml file to version control, ensuring that exact versions, not newly published ones, were installed during development and deployment.

Ibanez emphasized several practices to mitigate risks, such as always committing the “lockfile” to version control, using Performant NPM (PNPM) when possible, and avoiding the use of the caret (^) symbol in package.json to prevent unintended version upgrades. The software developer kit maintained by Ripple and distributed through NPM receives over 140,000 downloads per week, with developers widely using it to build applications on the XRP Ledger. The XRP Ledger Foundation removed the affected versions from the NPM registry shortly after the disclosure. Still, it remains unknown how many users had integrated the compromised versions before the issue was flagged.