TL;DR
- A hacker attempted to attack the XRP Ledger infrastructure by compromising an NPM token and distributing malicious versions of xrpl.js.
- Aikido Security detected five tampered versions, and the XRP Ledger Foundation released a secure update without affecting the project’s core.
- Ripple Labs closed its legal dispute with the SEC after more than three years, agreeing to pay $50 million and recover another $75 million.
An attempted attack against the XRP Ledger infrastructure was neutralized before causing major damage. A hacker managed to access an NPM package publishing token belonging to a developer and used that credential to distribute compromised versions of xrpl.js, the official library that enables interaction with the Ripple network from JavaScript applications.
The incident was detected by Aikido Security and put at risk any application that had automatically installed the affected versions. According to researcher Charlie Eriksen, the malicious versions contained hidden code that captured private keys and sent them to servers controlled by the attacker. The severity lies in the wide distribution of the library, which logs over 140,000 weekly downloads and is integrated into applications and services related to XRP throughout the ecosystem.
🚨We have discovered a backdoor in the official #xrpl NPM package. This back door steals private keys and sends them to attackers. The affected versions 4.2.1 – 4.2.4, if you are using an earlier version, do not upgrade.#crypto #malware #npm pic.twitter.com/wshcTFKjbR
— Aikido Security (@AikidoSecurity) April 22, 2025
The XRP Ledger Core Was Not Compromised
Aikido quickly identified five tampered versions and notified the relevant technical authorities. The XRP Ledger Foundation immediately disabled those versions and published a corrected update under version 4.2.5. The XRP Ledger source code core and its official GitHub repository were not compromised. This attack remained limited to the libraries distributed through NPM and did not affect services like Xaman Wallet or block explorers such as XRPScan, which confirmed they had not incorporated the compromised packages.
Meanwhile, a long legal chapter that Ripple Labs maintained with the United States Securities and Exchange Commission came to a close. The dispute began in December 2020, when the SEC accused the company of selling XRP as an unregistered security — an allegation Ripple denied, arguing it is a cryptocurrency.
In 2023, a federal judge partially ruled in favor of the SEC regarding institutional sales, though not in secondary markets. Finally, in March of this year, both parties reached a settlement. Ripple will pay $50 million and recover another $75 million, while both agreed to drop the pending appeals.
