A successful JINX-0164 compromise gives an attacker persistent access to developer workstations and build pipelines, creating the conditions for malicious code to enter a product's release artifacts, which downstream customers and users would then install as trusted software. For cryptocurrency and DeFi organizations, credential and wallet key theft carries direct financial loss risk, and CI/CD code poisoning can result in reputational destruction and regulatory scrutiny if compromised software reaches production users. The combination of supply chain entry, credential harvesting, and pipeline access means the blast radius extends beyond the initially targeted developer to every system and user that trusts the organization's software releases.
You Are Affected If
Your organization employs macOS developers who work on cryptocurrency, DeFi, or software projects and may have engaged with LinkedIn recruiter outreach
Your projects have a direct or transitive dependency on the npm package @velora-dex/sdk, or your package-lock.json or yarn.lock references it
Your CI/CD build nodes run on macOS or have access to macOS developer credentials and npm publishing tokens
Developer workstations at your organization do not have endpoint detection coverage that includes macOS launchctl persistence and credential access behaviors
Your npm dependency pipeline does not enforce lockfile integrity verification or Sigstore/provenance-based package signing
Board Talking Points
An active attacker is embedding hidden malware into developer tools used in the cryptocurrency industry, and any developer at our organization who installed the affected package or responded to a fake recruiter message may have given the attacker access to our codebase and internal systems.
We are conducting an emergency audit of all developer machines and build systems this week, rotating credentials and removing the compromised package as the immediate priority.
If we do not act now, a compromised build pipeline means our next software release could contain attacker-controlled code, exposing our customers and subjecting us to breach notification obligations and loss of user trust.
FinCEN / BSA — cryptocurrency firms handling digital asset transactions may trigger suspicious activity reporting obligations if attacker access resulted in unauthorized fund movement or wallet key exposure
GDPR / applicable data protection law — if compromised developer credentials or CI/CD access exposed personal data of EU-resident users stored in development or production systems, breach notification timelines apply
SOC 2 — CI/CD pipeline compromise and credential theft directly implicate availability, confidentiality, and change management trust service criteria, requiring disclosure to auditors and affected customers
