This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Multiple LLM & YARA findings confirm data exfiltration to suspicious domain (0x9c.xyz) and missing project info increase suspicion.
The package xrpl version 4.2.4 exhibits strong indicators of malicious behavior. While YARA rules alone are insufficient, the consistent finding across multiple files (index.js, src/index.js, xrpl-latest-min.js, xrpl-latest.js) of communication with the suspicious domain https://0x9c.xyz/ is highly concerning. This is corroborated by two independent LLM-based analyses (Evidence 2 and 5) which identify the POST requests to this domain as sending sensitive data ('seed') which strongly suggests data exfiltration. The unusual top-level domain .xyz further increases suspicion. The lack of project information (Evidence 8) adds to the concern, making it difficult to verify the legitimacy of the package and its intended functionality. The combination of multiple independent sources pointing to the same malicious behavior, particularly the LLM analysis which is considered more reliable, provides strong evidence that this package is malicious.