critical flaw:
xpub derivation works by putting the chain code C and index I through a hash function to get a modifier private key m
using the base private key b, you can calculate the derived key as b + m
for public part, m can still be calculated (chain code and index are public), but you only get base public key B
you convert m to a public key M, and calculate B + M, and that is the public key for b + m
now if b + m, the derived key, gets leaked, and the base xpub is public, m can be calculated and subtracted from b + m, to get b
you can from there calculate any other derivation path