tl;dr
Aikido Security discovered that multiple versions (v4.2.1 to v4.2.4 and v2.14.2) of the XRP Ledger's official JavaScript SDK on NPM were compromised with a backdoor designed to steal private wallet keys. The malicious code, embedded in wallet initialization, sent private keys to an unverified domain...
Aikido Security uncovered a serious backdoor within compromised versions (v4.2.1 to v4.2.4 and v2.14.2) of the XRP Ledger’s official JavaScript SDK distributed via the NPM package registry. This backdoor covertly exfiltrated private wallet keys by embedding malicious code into the wallet initialization process, sending sensitive data to an unverified external domain.
The attack evolved significantly over time. Initial versions manipulated built JavaScript files, while later releases introduced the backdoor deeper into the TypeScript source, integrating it within the SDK build process. The attacker also removed key development tools to avoid detection, highlighting a sophisticated and deliberate supply chain compromise targeting XRP Ledger’s developer ecosystem.
With hundreds of thousands of applications relying on this SDK, the breach represents a major threat to crypto wallet security across a wide user base. The XRP Ledger Foundation responded swiftly by acknowledging the vulnerability, removing the compromised versions from NPM, and promising a thorough post-mortem investigation.
Developers are strongly urged to mitigate risk by locking dependency versions explicitly, avoiding caret (^) version specifiers that enable automatic package upgrades, and committing lockfiles (such as pnpm-lock.yaml) to version control for deterministic builds. Using secure package managers like PNPM further strengthens defenses against such supply chain attacks.
This incident underscores the critical importance of vigilant package management in crypto infrastructure and the evolving tactics attackers employ to infiltrate trusted development tools.