XRP Faces Serious Security Breach, Private Keys Compromised

Recently, XRP faced a major security breach involving one of XRP Ledger’s JavaScript libraries. The Ripple npm JavaScript library named xrpl.js was compromised in a software supply chain attack, which exposed users’ private keys. 

The security flaw was flagged by Aikido Security and was confirmed by Ripple CTO David Schwartz David Schwartz   David Schwartz is a blockchain architect, and cryptographer, and is the Chief Technology Officer (CTO) and Chief Cryptographer at Ripple and a a board member and consultant at PolySign, which provides infrastructure for digital assets.   Quick Facts   Name David Schwartz Birth 1970, United States Nationality American Education Electrical Engineering from the University of Houston, Texas. Marital status married to Tracey Schwartz Net worth Estimated at $1 billion (to be verified)   He is one of the key architects behind XRP Ledger (XRPL). XRPL is known for its high-speed transactions and low energy consumption compared to Proof-of-Work (PoW) blockchains. Before joining Ripple, Schwartz worked as a software engineer and cryptography expert, contributing to protected messaging and distributed methods.   David Schwartz - Career Highlights   1991 – Developed secure messaging and cryptographic systems for government and private sectors. 2011 – Co-founded OpenCoin, which later became Ripple, focusing on global payments. 2012 – Helped create the XRP Ledger (XRPL), pioneering a fast, scalable, and energy-efficient blockchain. 2018 – Became CTO of Ripple, overseeing technical innovations and blockchain research. 2021-Present – Continues leading Ripple’s expansion in cross-border payments and CBDCs, advocating for blockchain adoption in finance.   He consults startups with strategic planning, smart contracts, and consensus mechanisms. He often speaks at major blockchain seminars and engages with the XRP community.   Useful Links to Connect With David Schwartz   Platform Link X (formerly Twitter) https://twitter.com/JoelKatz LinkedIn https://www.linkedin.com/in/david-schwartz-ripple Ripple Website https://ripple.com Youtube https://www.youtube.com/c/Ripple     Developer/ProgrammerCrypto and Blockchain Expert The issue affects specific versions of the Node Package Manager (NPM) library, but major XRP services like Xaman Wallet and XRPScan confirmed they were unaffected.

The affected versions were 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. However, the issue has been fixed in newer versions 4.2.5 and 2.14.3. 

Peter Todd, a Bitcoin developer, pointed out that a decade after he warned of security risks in Ripple’s software due to lack of proper security measures like PGP signing, there’s a Ripple backdoor due to an npm compromise. He criticized Ripple for not using a secure method (PGP signatures) to verify their code, which could have prevented this attack.

Todd also admitted that his own Python Library is not PGP signed for most users due to PyPi phasing out PGP signatures. He criticised the software industry as ‘incompetent’, stressing that he has no control over it. 

• Also Read :
•   Ripple’s XRP Outpaces Bitcoin and Dogecoin to Lead India’s Crypto Market in Q1 2025
• ,

A user named “mukulljangid” introduced a malicious code into the xrpl.js package starting April 21, 2025 and also introduced a new function to steal private keys and send them to an external domain. The attacked gained access through a compromised Ripple employee’s npm account. Besides, the attacker used multiple versions in a short time to avoid detection, but there is no evidence of a backdoor in the GitHub repository.

The XRP Ledger foundation issued a clarification and confirmed that compromised versions of xrpl.js have been removed. Developers are advised to use versions 4.2.5 or 2.14.3, with a detailed report coming soon.

The incident has sparked concerns over software security, especially in crypto where customer support and huge sums of money are involved.