This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Data exfiltration to suspicious domain (0x9c.xyz) confirmed by LLM & multiple YARA hits; missing project info adds to suspicion.
The package xrpl version 4.2.2 exhibits strong indicators of malicious behavior. While YARA rules alone are considered noisy, the multiple YARA matches across different files (Evidence 0, 1, 3, 4) pointing to communication with the suspicious domain https://0x9c.xyz/ are corroborated by a more reliable LLM-based analysis (Evidence 2). Evidence 2 specifically highlights a POST request to this domain, sending sensitive data ('seed') in the header. This strongly suggests data exfiltration. The lack of project information (Evidence 5) further increases suspicion, as it makes tracing the origin and legitimacy of the package difficult. The combination of multiple independent lines of evidence, particularly the confirmed data exfiltration attempt, points to malicious intent.