@velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence
A malicious version of the @velora-dex/sdk npm package was published, delivering an architecture-aware macOS backdoor that activates on import with no visible indicators. The attack occurred at the registry level without repository commits or install hooks.
- Disclosed
- Last updated
- Blast radius
- Unknown scope; affects any developer or CI/CD environment that imported the malicious package version on macOS
- Ecosystems
- Attack vectors
- Affected entities
- @velora-dex/sdk
The npm package @velora-dex/sdk was compromised and a malicious version was published to the registry. The compromised release contains an architecture-aware macOS backdoor that executes when the package is imported into a project.
The backdoor establishes persistence using launchctl, a macOS system utility, without triggering any visible install hooks or requiring changes to the public repository. The malicious code fires immediately upon package import with no visible output, making detection difficult.
This is a registry-only supply chain attack, meaning the compromise occurred at the package registry level rather than through repository access or maintainer account takeover. Any macOS developer or CI/CD system that installed and imported the malicious version of @velora-dex/sdk would be affected.
Developers should immediately audit their environments for this package and remove any affected versions.
Indicators of compromise
- Packages
- @velora-dex/sdk
Remediation
- Immediately remove or downgrade @velora-dex/sdk to a known-safe version prior to the compromise
- Audit all macOS machines and CI/CD environments that may have imported the malicious package for signs of launchctl-based persistence mechanisms
- Check LaunchAgent and LaunchDaemon directories (/Library/LaunchDaemons, /Library/LaunchAgents, ~/Library/LaunchAgents) for suspicious entries
- Review process execution logs and network traffic for signs of backdoor activity
- Consider using security scanning tools to detect the specific backdoor artifacts if the package version is identified
- Monitor npm security advisories for official guidance and a list of affected versions
Sources
Cite this entry
"@velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed April 9, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/velora-dex-sdk-compromised-on-npm-malicious-version-drops-macos-backdoor-via-lau-10jrzk
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in @doaction/auth
Malware discovered in the npm package @doaction/auth. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in @doaction/shared
Malware was discovered in the npm package @doaction/shared. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in transacts
The npm package transacts was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys should be rotated immediately from a different computer, and the package should be removed.
npmCompromised package - containedcritical
Malware in buffer-utilities
Malware was discovered in the npm package buffer-utilities, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a clean system.
npmCompromised package