Many versions of the Ripple ledger (XRPL) official NPM package are compromised with malware injected to steal cryptocurrency.
The NPM package, xrpl, is a JavaScript/TypeScript library that devs use to interact with and build apps using the cryptocurrency ledger’s features. This includes wallet and key management, payment channels, decentralized exchange, escrow, and so on.
Xrpl receives a great deal of interest from developers; weekly downloads hit a high of more than 186,000 in April, which offers an indication of how many people may be affected by the recent compromise in the absence of a confirmed number.
First discovered by security shop Aikido, the “sophisticated” attack was carried out on Monday evening and involved installing backdoors on five versions of xrpl. These were designed to steal users’ private keys and ultimately gain access to their wallets and funds.
The affected versions are 4.2.1, 4.2.2, 4.2.3, and 4.2.4, as well as 2.14.2. XRPL said the latter is less likely to be exploited since it is not compatible with other 2.x versions, but all users of these versions should assume they are compromised and rotate their private keys as soon as possible.
“To secure funds, think carefully about whether any keys may have been compromised by this supply chain attack, and mitigate by sending funds to secure wallets, and/or rotating keys,” it said in an advisory.
Xrpl also said that if an account’s master key is potentially compromised, it should be disabled.
The vulnerability has been assigned a critical CVE (CVE-2025-32965, 9.3), though this does not explain its exact nature, only that it exists and is connected to the xrpl supply chain attack.
Researchers who discovered the malicious versions were first alerted to potential misuse after seeing the five new versions appearing on NPM but not on XRPL’s GitHub page.
Digging a little deeper, they found new code that called to a dodgy-looking domain, which turned out to be one created in January.
Charlie Eriksen, malware researcher at Aikido, said: “So that’s not great. It’s a brand new domain. Very suspicious.”
Eriksen then found the code, which defines a new method, being called by various functions to steal private keys. Analysis of the different versions the attacker(s) released showed signs of experimentation with different ways of stealing keys while remaining undetected.
Targeting NPM is an increasingly popular method of launching supply chain attacks for cybercriminals, primarily because of how easy it is to do. The open source nature of the platform and low barrier to entry makes it a prime target for attackers looking to compromise many individuals at once.
North Korean state-sponsored attackers are known to target NPM, with campaigns aimed at crypto and Web3 developers spotted as recently as February.
SecurityScorecard researchers said targeting NPM was becoming a hallmark of Lazarus’s tradecraft. The group’s overarching mission is to generate funds to support North Korea’s weapons program, according to Western intelligence.
Ryan Sherstobitoff, SVP of threat research and intelligence at SecurityScorecard, told The Register earlier this year:
“It is imperative for organizations and developers to adopt proactive security measures, continuously monitor supply chain activities, and integrate advanced threat intelligence solutions to mitigate the risk of sophisticated implant-based attacks orchestrated by threat actors like the Lazarus Group.” ®