URGENT Update: Additional xrpl.js Versions Compromised — Immediate Action Required

37 views

Skip to first unread message

xrpl-announce

unread,

Apr 22, 2025, 11:59:53 AMApr 22

to xrpl-announce

Hello all,

Following our previous security alert, we have identified that versions 2.14.2 and 4.2.3 of xrpl.js were also compromised with malicious code designed to exfiltrate private keys.

If you are using any of the following versions, you must stop immediately and rotate all private keys or secrets used with affected systems:

- 2.14.2

- 4.2.1

- 4.2.2

- 4.2.3

- 4.2.4

The XRP Ledger supports key rotation:

https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/assign-a-regular-key-pair

If a master key may have been exposed, it is critical to disable it:

https://xrpl.org/docs/tutorials/how-tos/manage-account-settings/disable-master-key-pair

Please upgrade to one of the latest rectified versions:

xrpl.js 4.2.5:

https://www.npmjs.com/package/xrpl/v/4.2.5

xrpl.js 2.14.3:

https://www.npmjs.com/package/xrpl/v/2.14.3

We strongly recommend auditing any systems that used the compromised versions for suspicious activity.

Reply all

Reply to author

Forward

0 new messages