This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Multiple sources confirm suspicious network activity sending sensitive data to a malicious domain, lacking verifiable provenance.
The package xrpl version 2.14.2 exhibits strong indicators of malicious behavior. Multiple independent sources confirm suspicious activity. While YARA rules alone are insufficient, the consistent detection of communication with the unusual domain https://0x9c.xyz/ across multiple files (index.js, src/index.js, xrpl-latest-min.js, xrpl-latest.js) raises significant concern. Crucially, the LLM-based file analysis (Evidences 2 and 5) provides high-confidence confirmation of these findings. These analyses highlight the sending of POST requests to https://0x9c.xyz/xc containing a seed parameter, which strongly suggests the exfiltration of sensitive cryptographic data. The lack of project information (Evidence 8) further exacerbates the risk, hindering verification and trust. The combination of multiple independent confirmations of suspicious network activity, involving sensitive data, and the lack of verifiable provenance strongly suggests malicious intent.