Cybersecurity Threat Averted
A significant cybersecurity threat was narrowly averted when a hacker compromised a developer’s access token, inserting harmful code into a critical toolkit used by applications operating on the XRP Ledger. This flaw, discovered by Charlie Eriksen of Aikido Security, had the potential to trigger a widespread supply chain assault on the cryptocurrency ecosystem.
Details of the Incident
The incident involved the hacker leveraging a Node Package Manager (NPM) token belonging to a developer, allowing them to release tainted versions of the xrpl.js library, a crucial JavaScript resource for developers working with the XRP Ledger. With the library experiencing over 140,000 downloads weekly, its integration into countless applications and websites heightened concerns about the possible repercussions of this breach.
Eriksen described the situation as potentially “catastrophic” in a security update, emphasizing that the vulnerability could enable attackers to purloin private keys, thereby endangering users’ crypto wallets.
The malicious entries were first identified on April 21 by Aikido’s surveillance system, which flagged five questionable package versions.
Repercussions and Response
Fortunately, significant platforms linked to XRP, including Xaman Wallet and XRPScan, confirmed their immunity to the attack. The actual threat was limited to third-party applications that had inadvertently installed the compromised versions, identified as v4.2.1 through v4.2.4 and v2.14.2, during a brief timeframe before the incident was neutralized.
In response, the XRP Ledger Foundation acted promptly, discontinuing the flawed package versions and introducing a corrected update, v4.2.5, while advising developers using xrpl.js to upgrade without delay. The foundation reassured that the core XRP Ledger code and its GitHub repository remained safe since the flaw was confined to the external library.
Investigation and Market Impact
While the hacker’s identity has not been revealed, Aikido Security indicated that investigations are underway to track down leads related to the breach. Despite this alarming event, XRP maintained its stability, witnessing an 8.5% increase within 24 hours, aligning with a broader positive trend in the cryptocurrency market.
Ripple Labs Legal Settlement
In a related context, the lengthy legal battle between Ripple Labs and the U.S. Securities and Exchange Commission (SEC) has recently reached a resolution after more than four years. Initiated in December 2020, the SEC’s lawsuit accused Ripple of executing an unregistered securities offering through the sale of XRP tokens, amounting to over $1.3 billion. Ripple rebuffed the allegations, asserting that XRP should be classified as a digital currency, not a security.
In July 2023, U.S. District Judge Analisa Torres issued a split decision: she found that sales to institutional investors were in violation of securities laws, while transactions made on public exchanges were exempt from these regulations.
As a result, Ripple was required to pay a $125 million civil penalty. Ultimately, in March 2025, Ripple and the SEC finalized a settlement where Ripple would pay $50 million of the imposed fine, with the remaining $75 million refunded to the company. Both parties consented to drop their respective appeals, bringing an end to the litigation.
