Ddos 
Aikido Intel has issued an urgent alert after detecting a backdoor in multiple versions of xrpl.js, the official SDK for the XRP Ledger, marking one of the most severe supply chain attacks to hit the cryptocurrency development ecosystem.
The compromised package—with over 140,000 weekly downloads—is widely integrated across hundreds of applications, making this breach particularly alarming.
“We quickly confirmed the official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets,” the report warns.
The malicious code was injected into the SDK beginning April 21, 2025, by a threat actor using the npm username “mukulljangid”. It’s believed the attackers gained access to the developer’s npm credentials, enabling them to tamper with the package and add a data-exfiltration function targeting private wallet keys.
The introduced function, checkValidityOfSeed, secretly transmits sensitive wallet credentials to a remote server, potentially compromising funds in real-time for any application using the infected versions. This issue is tracked as CVE-2025-32965 (CVSSv4 9.3).
“Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys,” confirms the security advisory. “Version 2.14.2 is also malicious… though it is less likely to lead to exploitation.”
Immediate action is required. Developers and organizations using affected versions must:
- Upgrade to patched versions:
- 4.2.5 (for the 4.x branch)
- 2.14.3 (for the 2.x branch)
- Rotate private keys or secrets used with affected libraries.
- Disable master keys if they may have been compromised.
- Use XRP Ledger key rotation mechanisms:
- Guide: Assign a regular key pair
Donate