XRP Ledger Dev Kit Infected—Backdoor Siphoned Wallet Keys in ’Trust Us, We’re Crypto’ Moment

A compromised XRP Ledger developer toolkit secretly harvested private keys—because nothing says ’decentralized utopia’ like a backdoor straight out of a hacker’s wishlist. The exploit, now patched, serves as another reminder that in crypto, the only thing truly locked is your money—until someone else unlocks it.

Malicious code embedded in the wallet logic

Aikido’s analysis found that the compromised packages contained a function called checkValidityOfSeed, which made outbound calls to the newly registered and unverified domain 0x9c[.]xyz. 

The function was triggered during the instantiation of the wallet class, causing private keys to be silently transmitted when creating a wallet.

Early versions (v4.2.1 and v4.2.2) embedded the malicious code in the built JavaScript files. Subsequent versions (v4.2.3 and v4.2.4) introduced the backdoor into the TypeScript source files, followed by their compilation into production code. 

The attacker appeared to iterate on evasion techniques, shifting from manual JavaScript manipulation to deeper integration in the SDK’s build process.

The report stated that this package is used by hundreds of thousands of applications and websites, describing the event as a targeted attack against the crypto development infrastructure. 

The compromised versions also removed development tools such as prettier and scripts from the package.json file, further indicating deliberate tampering.

XRP Ledger Foundation and ecosystem response

The XRP Ledger Foundationthe issue in a public statement published via X on April 22. It stated:

Mark Ibanez, CTO of XRP Ledger-based Gen3 Games, said his team avoided the compromised package versions with a “bit of luck.”

He: 

“Our package.json specified ‘xrpl’: ‘^4.1.0’, which means that, under normal circumstances, any compatible minor or patch version—including potentially compromised ones—could have been installed during development, builds, or deployments.”

However, Gen3 Games commits its pnpm-lock.yaml file to version control. This practice ensured that exact versions, not newly published ones, were installed during development and deployment.

Ibanez emphasized several practices to mitigate risks, such as always committing the “lockfile” to version control, using Performant NPM (PNPM) when possible, and avoiding the use of the caret (^) symbol in package.json to prevent unintended version upgrades.

The software developer kit maintained by Ripple and distributed through NPM receives over 140,000 downloads per week, with developers widely using it to build applications on the XRP Ledger. 

The XRP Ledger Foundation removed the affected versions from the NPM registry shortly after the disclosure. Still, it remains unknown how many users had integrated the compromised versions before the issue was flagged.