Hackers slipped a nasty surprise into the XRP Ledger‘s software development kit, compromising five versions of the official NPM package with crypto-stealing malware. The attack, discovered on April 21, 2025, targeted the JavaScript library used by developers worldwide to interact with the XRP Ledger.
Talk about perfect timing – Aikido Security‘s automated threat monitoring platform caught the suspicious activity at 8:53 PM UTC. Their system, which uses LLMs to scan package managers like NPM, spotted something fishy in versions v4.2.1 through v4.2.4 and v2.14.2.
Turns out, some developer going by “mukulljangid” had published these compromised versions that didn’t match the official GitHub releases. The malware was sneaky, hiding in plain sight within a function called “checkValidityOfSeed.” Real creative naming there, hackers. Similar to ERC20 token standards, the XRP Ledger relies on strict protocols to maintain security across its ecosystem.
The code made sketchy calls to a freshly registered domain, 0x9c[.]xyz, attempting to steal private keys from cryptocurrency wallets. Charlie Eriksen, Aikido’s malware researcher, didn’t mince words when calling it “potentially catastrophic.” The malicious code was designed to steal wallet keys during initialization of the Wallet class.
The XRP Ledger team jumped into action fast. They pushed out version 4.2.5 as an emergency fix and officially addressed the compromised versions. The XRPL Foundation dropped everything to issue a formal disclosure about the “serious vulnerability.” The team strongly recommended developers conduct thorough audits of their project dependencies to ensure safety.
Thankfully, the attack only affected the JavaScript SDK – not the actual XRP Ledger codebase. This whole mess shows just how crafty attackers are getting. Instead of going after end-users directly, they’re targeting the tools developers use.
It’s like poisoning the well instead of individual water bottles. The attack specifically hit xrpl.js, a critical component for JavaScript and Node.js projects working with the XRP Ledger. The Foundation promised a detailed post-mortem once they finish investigating.
For now, developers can breathe easier knowing the compromised versions have been addressed. But this close call serves as a stark reminder: in the crypto world, even the most trusted tools aren’t immune to attack.
