The XRP Ledger Foundation has disclosed a major security incident involving one of its core developer tools—a JavaScript library widely used to build applications on the XRP blockchain.
The nonprofit stated that it removed a compromised version of the software after researchers discovered a backdoor that could steal users’ private keys.
Cybersecurity firm Aikido reported that sophisticated attackers had quietly inserted malicious code into the open-source library, which is used by “hundreds of thousands” of websites and apps that interact with the ledger. The code could have allowed unauthorized access to wallets and cryptocurrency held in them.
For users of the 2.14.x branch we’ve just published an updated npm package to remove the previously compromised version. If you’re using the 2.14.x branch, please update to 2.14.3 immediately:https://t.co/ZgCiSPf8px
— XRP Ledger Foundation (Official) (@XRPLF) April 22, 2025
The library itself does not run the network, but acts as a bridge helping developers read and write data to the network. The vulnerability amounts to a supply chain attack—an increasingly common tactic in which hackers compromise third-party code relied upon by many services.
This package is used by hundreds of thousands of applications and websites, making it a potentially catastrophic supply chain attack on the cryptocurrency ecosystem.” Aikido said in a blog post detailing the breach.
The company published screenshots of the rogue code and explained how it was disguised to look like part of the legitimate package.
XRP Ledger Foundation Cleans Up Code
The Foundation responded by quickly publishing a cleaned-up version of the library and updating its official code repository.
In a follow-up post on the microblogging platform X (formerly Twitter), the Foundation said it had confirmed that several key ecosystem projects, including XRPScan, First Ledger and Gen3 Games, were unaffected by the exploit.
Despite the scare, the price of XRP is up nearly 7% over the last 24 hours, amid a wider cryptocurrency market recovery that has seen the price of BTC surge to nearly $93,000 at the time of writing.
Launched in 2012, XRP Ledger is one of the earliest blockchain networks focused on payments and decentralized finance. It has seen renewed institutional interest in the U.S. despite a recent outage, with asset managers pursuing exchange-traded funds tied to the token and Coinbase launching XRP futures trading on its derivatives exchange.
