A major cybercrime incident occurred involving Ripple's recommended JavaScript library, xrpl.js, which was compromised to steal XRP wallet seeds, private keys, and mnemonics. Between 4:46 PM and 5:49 PM ET on April 24, 2025, attackers published five malicious versions (2.14.2, 4.2.1–4.2.4) of the library to the NPM registry. These compromised packages included a backdoor method named checkValidityOfSeed, appended to the /src/index.ts file. This function secretly transmitted sensitive wallet data via HTTP POST to a threat actor-controlled server at https://0x9c[.]xyz/xcm.

The backdoor used an "ad-referral" user agent to evade detection by network monitoring tools. The malicious function was invoked during legitimate library operations to harvest credentials silently. Given the wide adoption of xrpl.js—over 140,000 downloads in the past week—many XRP wallets may be at risk.

The XRP Ledger Foundation (XRPLF), maintainers of the library, have since removed the malicious versions and released a clean version 4.2.5. Users are strongly advised to upgrade immediately and rotate any potentially compromised credentials.

This attack is a textbook example of a cryptocurrency supply chain attack, emphasizing the need for heightened vigilance among developers and crypto users alike.

‍