velora-dex-sdk
VeloraDEX SDK npm macOS Backdoor
A registry-only malicious release of @velora-dex/sdk 9.4.1 was published to npm with no matching source commit. Instead of using an install hook, the attacker prepended code to the package entry point so importing the SDK downloaded and installed a macOS backdoor with launchctl persistence. The change was limited to package metadata and dist/index.js compared with the clean 9.4.0 tarball, making --ignore-scripts ineffective because execution moved from install time to first runtime import.
- Date
- 2026-04-07
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Compromised Account/Credentials
What Was Affected
Package
velora-dex-sdk
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/VeloraDEX/sdk
Compromised Versions
Incident Context
- Motive
- Backdoor
- Transitive
- Yes
- User Impact
- 0
- Observed Duration
- 0 days
Evidence
Compromised Artifacts
External References
Source Data
Source record: oss/velora-dex-sdk/meta.yaml