critical flaw:

xpub derivation works by putting the chain code C and index I through a hash function to get a modifier private key m

using the base private key b, you can calculate the derived key as b + m

for public part, m can still be calculated (chain code and index are public), but you only get base public key B

you convert m to a public key M, and calculate B + M, and that is the public key for b + m

now if b + m, the derived key, gets leaked, and the base xpub is public, m can be calculated and subtracted from b + m, to get b

you can from there calculate any other derivation path