malware npm

@velora-dex/sdk

discovered 2026-04-08

@velora-dex/sdk is identified in the SafeDep analysis "Malicious @velora-dex/sdk Delivers Go RAT via npm". Version 9.4.1 of @velora-dex/sdk, a DeFi SDK with ~2,000 weekly downloads, was compromised to deliver a Go-based remote access trojan (minirat) targeting macOS developers.

more…

Threat types

rat persistence crypto_drainer

Malicious versions

1.0.0

Campaigns

No Specific Campaignattributed-to

Indicators

domain 89.36.224.5communicates-with
domain datahub.inkcommunicates-with
domain cloud-sync.onlinecommunicates-with
domain byte-io.uscommunicates-with
domain api.ipify.orgcommunicates-with
domain ipinfo.iocommunicates-with
ipv4 89.36.224.5communicates-with
ipv4 208.115.220.17communicates-with
sha256 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270indicates
sha256 0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783dindicates
sha1 dfd224461edb06c556ee0d5677bd78ddda80b910indicates

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1552.004 Unsecured Credentials: Private Keysuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1546 Event Triggered Executionuses

Read the full analysis →