A major security breach has rocked the XRP Ledger (XRPL), Ripple’s smart contract-capable blockchain, after a hacker injected a malicious backdoor into its core software. Discovered by crypto security firm Aikido, the attack has raised alarms across the blockchain ecosystem.

Backdoor Planted in XRPL Node Software

The compromise began at 8:53pm UK time on Monday, when a user identified as mukulljangid uploaded five new versions of the XRPL node package manager. These updates, not mirrored on XRPL’s official GitHub, included malicious code designed to steal private keys—the password-like credentials that control access to crypto wallets.

This node package is widely used across the XRP Ledger ecosystem and was downloaded over 140,000 times last week alone, making this a potentially devastating supply chain attack. Aikido’s Charlie Eriksen called it “potentially catastrophic,” given its widespread use in applications and websites.

How the Attack Unfolded

Over several iterations, the attacker tried various techniques to insert the backdoor while avoiding detection. The backdoor allowed unauthorised access by collecting private keys and secretly transmitting them, which could then be used to drain user wallets.

Aikido detected the threat via its AI-powered threat monitoring system, which scans new software versions for signs of malicious behaviour. The affected software was eventually patched on Tuesday at 2pm UK time, when a clean version replaced the infected ones.

Ripple’s Silence and Security Concerns

Ripple has yet to issue an official statement regarding the breach. The incident follows a major loss in January 2024, when Ripple co-founder Chris Larsen lost $112 million in XRP, later tied to a compromise at password manager LastPass. With XRP’s value having surged 294% over the past year, that stolen amount is now worth approximately $449 million.

This latest attack reignites concerns around Ripple’s internal security practices and the resilience of the XRPL ecosystem, especially with $80 million in user funds currently held in XRPL DeFi applications.

Wider Implications for the Crypto Industry

The breach is another reminder of the growing threat of supply chain attacks in crypto, where vulnerabilities in widely used developer tools can lead to massive financial damage.

According to Chainalysis, private key compromises accounted for 43.8% of all crypto thefts last year. This incident shows how attackers are increasingly targeting open-source infrastructure, embedding malware in places where it can go unnoticed for days or weeks.

As XRPL users scramble to assess the damage, the broader community is being urged to update their software, rotate private keys, and exercise heightened caution when integrating third-party code.