registry  /  @velora-dex/sdk  /  9.4.1

@velora-dex/sdk@9.4.1

OSV Malicious Advisory

scanned 5h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-2510 confirms this npm version as malicious. Malicious npm package executing base64-decoded shell command to download and run stage-2 payload from C2 server (89.36.224.5) targeting macOS

Advisory
MAL-2026-2510
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @velora-dex/sdk (npm)
Details
Malicious npm package executing base64-decoded shell command to download and run stage-2 payload from C2 server (89.36.224.5) targeting macOS --- ## Source: amazon-inspector (21a732dd2745098176d2c19fe3edb359db6f6690b5d14b8d49e8a00b61325311) The package @velora-dex/sdk was found to contain malicious code. ## Source: ossf-package-analysis (013b2c71633a40b8d425f998bb589074e403eea3069a0af42d70a041827475a3) The OpenSSF Package Analysis project identified '@velora-dex/sdk' @ 9.4.1 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms @velora-dex/sdk@9.4.1 as malicious (MAL-2026-2510): Malicious code in @velora-dex/sdk (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory