XRP Ledger responds after xrpl.js supply-chain breach

Was XRPL mainnet compromised? No, xrpl.js supply chain attack only

As reported by CoinDesk, the XRP Ledger (XRPL) mainnet was not compromised; the incident was a supply‑chain compromise of the xrpl.js JavaScript SDK distributed via npm. The malicious change targeted client applications, not the ledger’s consensus or validator code.

In late April 2025, a phished npm publisher account allowed backdoored xrpl.js releases that attempted to exfiltrate secret key material. CoinDesk’s incident wrap noted that maintainers moved quickly to contain the issue and publish clean releases.

Why it matters: xrpl.js vulnerability risked private key exfiltration

As reported by EBTC News, the inserted code could have siphoned seed phrases or private keys from projects that upgraded to the compromised builds. Security guidance in that report advises treating any secrets touched by those versions as potentially exposed.

In practice, teams that integrated the affected SDKs would typically rotate keys, migrate funds to wallets created in clean environments, and audit dependency graphs to verify blast radius. These steps are precautionary and depend on whether the compromised paths were executed in production.

Update now: affected 4.2.1–4.2.4, 2.14.2; safe 4.2.5, 2.14.3

According to Ripple, the affected xrpl.js versions were 4.2.1 through 4.2.4 and 2.14.2, while the patched releases are 4.2.5 and 2.14.3. The vulnerable packages were deprecated and safe versions published within hours of discovery.

Developers can review lockfiles, cached artifacts, and container images to confirm exactly which builds were installed during the exposure window. Where uncertainty remains, conservative key rotation and re‑provisioning on uncompromised machines are standard incident‑response practices.

Ecosystem response and XRP Ledger security: XRPL Foundation, Ripple, Aikido

According to the XRPL Foundation, immediate mitigations included deprecating the backdoored packages, removing the compromised maintainer from publish rights, and enforcing two‑factor authentication for npm maintainers. Ripple issued urgent advisories and coordinated communications to downstream projects.

As covered by Decrypt and based on data from Kaiko, XRPL later placed last in an August 2025 cross‑chain “security” ranking that weighed this supply‑chain event alongside decentralization metrics. Developers disputed the framing, pointing to 13‑plus years without a core‑protocol breach and recurring third‑party audits by firms such as CertiK, Halborn, and FYEO.

Independent researchers emphasized how dependency hygiene can be a systemic risk even when a base layer is sound. “a potentially catastrophic supply-chain attack,” said Charlie Eriksen, CTO at Aikido Security, highlighting the package’s heavy usage and downstream reach.