Malicious VeloraDEX SDK Compromises Developer Machines via npm

Security researchers at StepSecurity have sounded the alarm on a compromised version of the @velora-dex/sdk package. On April 7, 2026, threat actors successfully published a malicious update (v9.4.1) to the npm registry, designed to drop a persistent backdoor on macOS developer machines immediately upon use.

Unlike many supply chain attacks that rely on suspicious installation hooks (like postinstall), this malware is significantly more stealthy. It is embedded directly within the library’s compiled code, meaning it remains dormant until a developer actually attempts to use the SDK in their project.

As the StepSecurity report details, “The compromised version contains code injected directly into dist/index.js that executes immediately when the package is imported. There is no install hook involved: the payload fires on the first require() or import call”.

The malicious code never appeared in the project’s official source code repository. The attacker bypassed the traditional CI/CD pipeline, publishing the poisoned version directly to npm.

Comparing the legitimate version (9.4.0) with the malicious one (9.4.1) reveals a surgical level of precision. The attacker only modified two files: the package.json for the version bump and the dist/index.js file, where three malicious lines were prepended.

“This is a hallmark of a registry-only attack where the malicious build was crafted and published outside the normal CI/CD pipeline,” the report explains.

Once a developer imports the library, a multi-stage infection process begins:

1. C2 Communication: The injected code reaches out to a command-and-control (C2) server at 89.36.224.5 to download a secondary shell script.
2. Payload Delivery: This script identifies the system architecture and drops a specialized macOS binary into a hidden folder: ~/Library/Application Support/com.apple.Terminal/profiler.
3. Persistence: To ensure the malware survives a reboot, it registers itself as a persistent service using macOS’s launchctl utility under the name zsh.profiler.

For developers who may have downloaded or imported version 9.4.1, the news is grim. Because the malware grants the attacker a persistent foothold, any secret present on the machine at the time of infection must be considered stolen.

StepSecurity urges affected users to rotate all credentials, including:

• Cloud Keys: AWS, GCP, and Azure credentials.
• Access Tokens: npm tokens and GitHub Personal Access Tokens (PATs).
• Local Secrets: SSH keys, browser-stored passwords, and even cryptocurrency seed phrases.

The compromise was first brought to light by Charlie Eriksen from Aikido, and a clean version of the SDK is now available. To secure your environment, follow these steps immediately:

• Pin to Safe Version: Force your project to use version 9.4.0.
• Remove Persistence: Manually stop the zsh.profiler service and delete the malicious binary from the Application Support directory.
• Audit Network Logs: Search your firewall or proxy logs for any outbound connections to the 89.36.224.5 IP address, which confirms the malware successfully executed.