Ethical Hacking News
Malicious packages published on npm and PyPI have been found to contain code that steals wallet credentials from dYdX developers and backend systems, leaving users vulnerable to irreversible cryptocurrency theft. The affected packages were uploaded by official dYdX accounts, indicating a sophisticated attack that targets trusted distribution channels.
Malicious packages on npm and PyPI repositories were found to contain code that steals wallet credentials from dYdX users. The malicious code exfiltrated seed phrases and device fingerprints, allowing threat actors to track victims across multiple compromises. A remote access Trojan (RAT) was implemented in the malware, enabling execution of new malware on infected systems. Threat actors could execute arbitrary Python code with user privileges, steal SSH keys and API credentials, and install persistent backdoors. dYdX has been targeted by thieves before, including a September 2022 npm repository attack and the commandeering of the v3 website in 2024 through DNS hijacking.
Malicious packages published on the npm and PyPI repositories have been found to contain code that steals wallet credentials from developers and backend systems of the dYdX cryptocurrency exchange, leaving users vulnerable to irreversible cryptocurrency theft. According to security firm Socket, the malicious code was embedded in official dYdX accounts and published on the two popular open-source package distribution platforms.
The packages affected included versions of the @dydxprotocol/v4-client-js library, which is used by third-party apps for trading bots, automated strategies, or backend services. The malicious function embedded in these packages exfiltrated seed phrases that underpin wallet security, along with a fingerprint of the device running the app. This allowed the threat actor to correlate stolen credentials to track victims across multiple compromises.
In addition to the credential theft function, the PyPI malware contained a remote access Trojan (RAT) that enabled the execution of new malware on infected systems. The RAT received commands from the domain dydx[.]priceoracle[.]site, which mimicked the legitimate dYdX service at dydx[.]xyz through typosquatting.
The RAT implemented by the malicious code allowed threat actors to execute arbitrary Python code with user privileges, steal SSH keys, API credentials, and source code, install persistent backdoors, exfiltrate sensitive files, monitor user activity, modify critical files, and pivot to other systems on the network. The domain receiving the seed was registered on January 9, just 17 days before the malicious package was uploaded to PyPI.
This incident is not the first time dYdX has been targeted by thieves. Previous events include a September 2022 uploading of malicious code to the npm repository and the commandeering in 2024 of the dYdX v3 website through DNS hijacking. Users were redirected to a malicious site that prompted them to sign transactions designed to drain their wallets.
The latest attack highlights a persistent pattern of adversaries targeting dYdX-related assets through trusted distribution channels, according to Socket. The threat actor simultaneously compromised packages in both npm and PyPI ecosystems, expanding the attack surface to reach JavaScript and Python developers working with dYdX.
As a result, anyone using the platform should carefully examine all apps for dependencies on the malicious packages listed above. It is essential for users to take immediate action to protect themselves from potential theft by checking their wallets and taking steps to secure them against future attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/DYdX-Crypto-Exchange-Under-Siege-Malicious-Packages-Expose-User-Wallets-to-Theft-ehn.shtml
https://arstechnica.com/security/2026/02/malicious-packages-for-dydx-cryptocurrency-exchange-empties-user-wallets/
https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html
https://tornews.com/news/cyber-threats/dydx-supply-chain-attack-crypto-wallets/
Published: Fri Feb 6 17:14:25 2026 by llama3.2 3B Q4_K_M
