Critical Supply Chain Attack Exposes XRP Users to Crypto Theft

Aikido Intel Uncovers Malicious Backdoor in Official xrpl NPM Package

In a highly alarming development for the cryptocurrency ecosystem, Aikido Security’s threat intelligence division has uncovered a sophisticated supply chain attack involving the official XRP Ledger (XRPL) SDK distributed via NPM. With over 140,000 weekly downloads, this library serves as a backbone for hundreds of thousands of cryptocurrency applications and services globally.

Malicious Packages Slip Through Official Channels

Between April 21, 20:53 GMT+0 and April 22, 13:00 GMT+0, a user identified as mukulljangid uploaded five new versions of the xrpl package to NPM:

• 4.2.1
• 4.2.2
• 4.2.3
• 4.2.4
• 2.14.2

What raised immediate red flags was that these versions did not correspond to any official releases on the XRPL GitHub repository, where the latest known version was 4.2.0. The discrepancy prompted a deeper investigation.

Hidden Backdoor for Stealing Crypto Wallet Keys

At first glance, the package code appeared unaltered—until Aikido’s automated LLM-powered threat scanning tool discovered a suspicious function: checkValidityOfSeed.

The function silently sends private keys or seed phrases to a malicious domain: 0x9c[.]xyz. The domain was newly registered, further confirming its illegitimacy.

This malicious function is called automatically during multiple wallet operations—such as:

• Wallet instantiation
• Wallet generation from mnemonic phrases or entropy
• Wallet derivation from seed

Essentially, any use of the compromised versions could silently leak sensitive credentials.

Technical Evolution of the Attack

The attacker carefully escalated the sophistication of the backdoor over multiple versions:

• 4.2.1: Removal of build scripts and config changes
• 4.2.2: First insertion of malicious JavaScript files
• 4.2.3 and 4.2.4: Backdoor migrated into TypeScript source code (compiled later), making it more subtle and durable

How to Check If You're Affected

Search your project for these versions in your package.json or package-lock.json:

• 4.2.1 – 4.2.4
• 2.14.2

Inspect for outbound requests to: 0x9c[.]xyz

If such activity is found, you must immediately consider all private keys as compromised.

Remediation Steps

• Replace affected versions with:
  • 4.2.5 or later
  • 2.14.3 or later
• Migrate funds to a new wallet using fresh keys
• Monitor logs and systems for unusual activity

Who Detected It?

This threat was discovered by Aikido Intel, which uses machine learning to analyze changes in public package repositories like NPM. Their tools detected the deviation and alerted on the suspicious domain call.