MAL-2026-2510
Malicious code in @velora-dex/sdk (npm)
Details
Malicious npm package executing base64-decoded shell command to download and run stage-2 payload from C2 server (89.36.224.5) targeting macOS
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (21a732dd2745098176d2c19fe3edb359db6f6690b5d14b8d49e8a00b61325311) The package @velora-dex/sdk was found to contain malicious code.
## Source: ossf-package-analysis (013b2c71633a40b8d425f998bb589074e403eea3069a0af42d70a041827475a3) The OpenSSF Package Analysis project identified '@velora-dex/sdk' @ 9.4.1 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @velora-dex/sdk (npm). Pin to a known-safe version or switch to an alternative.