A hacker slithered into the XRP Ledger‘s official JavaScript software on April 21, 2025, injecting malicious code that could steal private keys from unsuspecting crypto users. The attack targeted the XRPL NPM package, with the perpetrator – identified only as “mukulljangid” – pushing out five corrupted versions in what could have been a devastating supply chain attack.
The malware wasn’t exactly subtle. It embedded a shifty little function called “checkValidityOfSeed” that did anything but check validity. Instead, it was busy shipping off private keys to some sketchy website at 0x9c[.]xyz whenever new ones were created. Real classy. Users were advised to verify every character of destination addresses to prevent falling victim to similar attacks. The compromised code was specifically designed to steal private keys during Wallet object creation.
Fortunately, the cavalry arrived just in time. Aikido‘s automated threat monitoring system – powered by their fancy LLM-based Intel platform – caught wind of the suspicious code updates at 8:53 PM UTC. They immediately sounded the alarm, and the XRP Ledger Foundation scrambled to push out a security fix.
The timing couldn’t have been better. With over 6 million accounts on the XRP Ledger – up 24% since January 2024 – this could have been an absolute nightmare. Anyone who’d updated their software after the attack would have downloaded the compromised code, potentially exposing their crypto wallets to theft.
What makes this attack particularly sneaky is that it targeted the JavaScript library used by XRPL developers, not end users directly. The compromised package releases didn’t match any tagged releases on the official GitHub repository – a red flag that something was seriously wrong.
This incident serves as a stark reminder of just how vulnerable open-source software supply chains can be. While cryptocurrency has made impressive strides in security, it only takes one crafty hacker to potentially wreak havoc.
The quick response from Aikido’s security team and the XRP Ledger Foundation prevented what could have been one of the more sophisticated blockchain attacks in recent memory. Sometimes, timing really is everything.
