Description
Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. If you are using one of these versions, stop immediately and rotate any private keys or secrets used with affected systems.
Version 2.14.
Recommendation
Update the xrpl package to the latest compatible version. Followings are version details:
Affected version(s): **= 2.14.2 >= 4.2.1, < 4.2.5** Patched version(s): **2.14.3 4.2.5**
References
Related Issues
- Prebid-universal-creative latest on npm briefly compromised - CVE-2025-59039
- Prebid.js NPM package briefly compromised - CVE-2025-59038
- DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware - CVE-2025-59037
- Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components - CVE-2025-1647
You might also like:
- Tags:
- npm
- xrpl
Anything's wrong? Let us know Last updated on April 22, 2025


