This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Malicious HTTP POST requests to a suspicious domain (.xyz) sending user data ('seed'), coupled with missing project info, strongly indicates malware.
The package xrpl version 4.2.3 exhibits strong indicators of malicious behavior. While YARA rules alone are insufficient, the consistent findings across multiple files (index.js, src/index.js, xrpl-latest-min.js, xrpl-latest.js) pointing to HTTP POST requests to https://0x9c.xyz/xc are corroborated by LLM-based analysis. Evidence 2 and 5 explicitly identify a checkValidityOfSeed function sending user data ('seed') via POST to this suspicious domain. This strongly suggests data exfiltration to a potential Command and Control (C&C) server. The unusual top-level domain (.xyz) further adds to the suspicion. The lack of project information (Evidence 8) exacerbates the risk, as it hinders verification of the package's legitimacy. The combination of multiple independent sources confirming the malicious HTTP POST requests, coupled with the missing project information, provides strong evidence for classifying this package as malware.