XRP Ledger NPM Package Compromised in Potential Crypto Theft Backdoor
In less than three months, the blockchain supporting XRP—one of the largest cryptocurrencies by market cap—has faced another major security scare.
Developer security platform Aikido has revealed that a widely used NPM package for the XRP Ledger (XRPL) was compromised. The malicious version of the package contained a backdoor capable of stealing private crypto keys and wallet access credentials.
“This package is integrated into hundreds of thousands of apps and websites, making it a potentially catastrophic supply chain attack,” warned Charlie Eriksen, a malware researcher at Aikido.
The suspicious versions of the XRPL package—uploaded by a user named mukulljangid—did not align with official releases on GitHub. The injected code was designed to silently send private keys to the 0x9c[.]xyz domain, which was only registered in January 2025.
Eriksen explained that the attacker employed multiple tactics to stay under the radar, including hiding the backdoor in both compiled JavaScript and TypeScript source code.
Developers who installed the package between April 21, 20:53 GMT+0, and April 22, 13:00 GMT+0 are advised to review their network logs for connections to the suspicious domain. “If you used the package during this time, assume your private keys are compromised,” Eriksen cautioned.
The XRP Ledger Foundation has since released a clean version of the NPM package to eliminate the threat.
This follows another serious incident in February 2025, when the XRPL network went offline for over an hour due to unexplained technical issues. Concerns have also been raised over the network’s reliance on just 35 validator nodes for securing XRP, now valued at $130 billion.
Despite the alarming discovery, XRP's market remains resilient—the token’s price surged 7% within a day of the news.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
