XRP supply chain attack: Official NPM package infected with crypto stealing backdoor

April 22, 2025

The decentralized finance ecosystem faced a direct threat as the official XPRL (Ripple) npm package was compromised by sophisticated threat actors. The attackers successfully injected a malicious crypto-stealing backdoor directly into the package's production distribution. When developers or financial applications download this official package to interface with the Ripple ledger, the backdoor activates silently. It is engineered to monitor active application memory, locate cryptographic private keys, and compromise digital wallets, ultimately exfiltrating the data to an attacker-controlled server to facilitate the unauthorized theft of digital assets.Organizations interacting with the Ripple network must immediately audit their application dependencies, isolate any builds utilizing the infected XPRL npm package version, and roll back to a known-secure release. All digital wallets and private keys managed by applications running the compromised software must be assumed exposed, necessitating the immediate migration of funds to new, secure cryptographic addresses generated on isolated devices.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?