Ethical Hacking News
Malicious packages published on npm and PyPI have been used to steal wallet credentials from dYdX developers and backend systems, compromising users' wallets and irreversible cryptocurrency theft. This incident is the latest in a series of attacks targeting dYdX-related assets through trusted distribution channels.
dYdX, a popular platform for perpetual trading, has been targeted by thieves at least three times.Malicious packages on npm and PyPI repositories stole wallet credentials from dYdX developers and backend systems.A backdoored device allowed attackers to remotely access compromised systems.Malicious code used typosquatting to intercept seed phrases, exfiltrating them along with a fingerprint of the device.A remote access Trojan (RAT) enabled execution of new malware on infected systems.The incident highlights the need for vigilance and caution when using decentralized platforms like dYdX.
Ars Technica has reported a security incident that highlights the vulnerability of decentralized derivatives exchanges to malicious attacks. dYdX, a popular platform for perpetual trading and perpetual targeting, has been targeted by thieves for at least the third time.
According to researchers from security firm Socket, malicious packages published on the npm (Node Package Manager) and PyPI (Python Package Index) repositories were laced with code that stole wallet credentials from dYdX developers and backend systems. In some cases, this malicious code also backdoored devices, allowing attackers to remotely access compromised systems.
The affected packages included versions of the dYdX client library for JavaScript and Python, which are used by third-party apps for trading bots, automated strategies, or backend services. These libraries handle sensitive data such as mnemonics or private keys for signing, making them a prime target for attackers.
The malicious code embedded in these packages used a technique called typosquatting to mimic the legitimate dYdX service at dydx[.]xyz. This allowed attackers to intercept seed phrases that underpin wallet security, exfiltrating them along with a fingerprint of the device running the app. The fingerprint enabled the attackers to correlate stolen credentials across multiple compromises.
Furthermore, the malicious code available on PyPI also implemented a remote access Trojan (RAT) that allowed the execution of new malware on infected systems. This backdoor received commands from dydx[.]priceoracle[.]site, which mimics the legitimate dYdX service at dydx[.]xyz.
Researchers from Socket noted that the packages were published to npm and PyPI by official dYdX accounts, indicating that they had been compromised and used by the attackers. This highlights a persistent pattern of adversaries targeting dYdX-related assets through trusted distribution channels.
This incident serves as a reminder for users of dYdX and other decentralized platforms to carefully examine all apps for dependencies on malicious packages. It also underscores the importance of robust security measures, such as encryption and secure key management, in protecting sensitive data.
In conclusion, this security incident highlights the need for vigilance and caution when using decentralized platforms like dYdX. By staying informed about potential threats and taking proactive steps to protect themselves, users can minimize their risk of falling victim to malicious attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Packages-on-npm-and-PyPI-Erode-dYdX-Users-Wallets-ehn.shtml
https://arstechnica.com/security/2026/02/malicious-packages-for-dydx-cryptocurrency-exchange-empties-user-wallets/
https://www.cryptopolitan.com/dydx-malicious-packages-empty-user-wallets/
Published: Tue Feb 17 13:04:38 2026 by llama3.2 3B Q4_K_M
