The recent discovery of a critical vulnerability in XRPL.js, a JavaScript library used to build applications on the XRP Ledger, has been successfully patched, according to a security advisory from Aikido Security. The flaw was identified as a serious supply chain threat that could have compromised user wallets through malicious code injections.
Security researcher Charlie Eriksen from Aikido Security first detected the problem earlier this week. He revealed that a compromised developer token had allowed attackers to push malicious updates to the widely used xrpl.js package distributed via the Node Package Manager (NPM), a popular JavaScript package archive.
“A developer’s NPM access token was illegally obtained,” Aikido explained in a statement on X (formerly Twitter). “The source of the breach is still under investigation, but we suspect a targeted attack. Tracking down the exact source and the responsible parties remains a work in progress.”
The vulnerability specifically affected select versions of the NPM-distributed package, impacting third-party services and developers that pulled the corrupted libraries during a short time window. However, major applications such as Xaman Wallet and XRPScan confirmed that they remained unaffected by the incident, easing immediate concerns from community members.
The exploited flaw, according to Eriksen, posed a significant risk as it could have enabled attackers to access sensitive keys, and potentially take control of users’ crypto wallets. “At 20:53 GMT+0 on April 21st, our Aikido Intel monitoring system flagged five suspicious versions of the xrpl package — the official SDK for interacting with the XRP Ledger, which registers over 140,000 downloads each week,” Eriksen reported.
“This wasn’t just a typical vulnerability,” he continued. “With widespread use in web and mobile applications, this had the hallmarks of a potentially catastrophic supply chain attack within the broader crypto development community.”
The XRP Ledger Foundation acted quickly upon receiving confirmation of the threat. Developers promptly deprecated the compromised versions — v4.2.1 through v4.2.4 and v2.14.2 — and released an urgent patch in the form of version 4.2.5.
“Let’s be clear,” the foundation stated in their advisory. “This bug solely impacted xrpl.js, the JavaScript library used to interface with the ledger. The core XRP Ledger protocol and the official GitHub repositories were unaffected. For anyone using xrpl.js, it’s imperative to upgrade to version 4.2.5 immediately.”
To clarify for users not familiar with software development: a JavaScript library helps developers by bundling reusable code, while GitHub provides storage and version control for these code bases in the open-source ecosystem.
While the vulnerability had the potential to shake confidence in the security of XRP-related software, swift discovery and quick action by the developer community appear to have minimized any real-world damage. The response highlights the importance of active monitoring and the need for vigilance across decentralized platforms and third-party development tools.
Amid the security fix, XRP prices moved positively, surging by 8.5% in the last 24 hours, buoyed not only by the patch but also by broader market optimism.
