It Could Have Been Catastrophic If Left Unnoticed – Here are the Details of the Major Danger

The Ripple ecosystem is in the spotlight after a hacker injected malicious code into the official node package manager (NPM) for XRP Ledger (XRPL), a move that could allow attackers to steal users’ private keys and empty their wallets.

Security firm Aikido said the fake package appeared at 20:53 on Monday, April 21, and was uploaded under the name “mukulljangid.” Aikido researcher Charlie Eriksen warned that the incident “could be catastrophic” if left undetected, as the XRPL package underlies “hundreds of thousands of applications and websites.” GitHub download statistics show that the package was fetched around 140,000 times in the past week alone.

Aikido’s AI-powered threat feed flagged five suspicious versions that never appeared in XRPL’s GitHub repository, an anomaly that prompted closer scrutiny. In successive versions, the attacker carefully concealed a backdoor that silently exported wallet private keys. Anyone with these keys could move funds without the owner’s permission, necessitating a quick fix. The XRPL community released a clean version, v2.2.1, that invalidates the infected code on Tuesday, April 22 at 14:00 GMT, but Ripple has yet to make an official announcement.

Developers are now racing to audit build pipelines, clean up affected versions, and rotate any keys that may have been exposed.

The breach comes at a sensitive time for Ripple. In January 2024, co-founder Chris Larsen lost $112 million in XRP to thieves who took advantage of the LastPass breach; that amount is now worth $449 million after XRP surged 294% last year. DFTs running on XRP currently secure about $80 million in user deposits, all of which could have been vulnerable if the backdoor had been active for much longer.

*This is not investment advice.