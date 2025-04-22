David Schwartz, chief technology officer at Ripple, has taken to social media to warn about malicious code in the most recent versions of the library for XRPL developers that could steal private keys.

Advertisement

Earlier today, Aikido Security revealed that the XRPL package on NPM, the default package manager for JavaScript, had been compromised.

Recently, several new versions of xrpl.js, the software development kit for the XRPL, were released with malicious code. The fact that this code is not part of the official GitHub repository immediately raised suspicion.

The suspicious code change was discovered with the help of the AI-powered threat monitoring system used by Aikido Security.

Advertisement

With the help of the malicious code, private keys could be secretly sent to an unknown domain, which is obviously a major red flag.

The cryptocurrency wallets of those who use these most recent versions of the software development kit could be easily compromised.

Hence, those who fell into the trap and installed the malicious versions should treat private keys as stolen.

That said, regular XRP users who rely on well-known apps such as Xumm are highly unlikely to be affected.

It is worth noting that the malicious versions have already been removed by official maintainers at the XRP Ledger Foundation.

The security of the XRP Ledger itself has not been compromised, and it continues to operate normally.

"XRPL is fine, it is in the developer SDK that was compromised, this is widely used by cryptocurrency applications and services but the ledger itself remains secure," Aikido Security clarified.

This has also been confirmed by Mayukha Vadari, senior software engineer at RippleX.

The XRP Ledger itself is unaffected by this. The malware packages only affect services that use xrpl.js and upgraded to the malicious versions that were published less than 24 hours ago. Github remains safe, only npm was compromised.



Please avoid using any services that have… https://t.co/ySWcl50Pmf — Mayukha Vadari (@msvadari) April 22, 2025

Aikido Security claims that it is currently investigating the threat actors who pulled off the attack.

"We are investigating. We have some ideas on the threat actors involved, it fits a pattern we see a lot. Will update when we can confirm," it said.