StepSecurity

A malicious version of the @velora-dex/sdk npm package (v9.4.1) was published on April 7, 2026, containing injected code in dist/index.js that fires at import time rather than via postinstall hooks. The payload downloads a shell script from a C2 server (89.36.224.5), drops an architecture-specific macOS binary into a path mimicking a legitimate Apple directory, and registers it as a persistent service via launchctl. The attack bypasses --ignore-scripts protections and completes the full kill chain in ~330ms. Indicators of compromise, detection commands, recovery steps (downgrade to 9.4.0, remove the launchctl service, rotate all credentials), and defensive tooling recommendations are provided.

@velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence

Runtime Validation with StepSecurity Harden-Runner

Defense in Depth: How StepSecurity Protects Against This