Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Supply Chain Attack Targets Cryptocurrency Developers

Cybersecurity researchers have discovered a supply chain attack in which legitimate packages on npm and the Python Package Index (PyPI) have been compromised to distribute wallet credential theft malware and remote code execution tools.

The compromised packages are:

- @dydxprotocol/v4-client-js (npm) - versions 3.4.1, 1.22.1, 1.15.2, 1.0.31
- dydx-v4-client (PyPI) - version 1.1.5post1

These packages provide developers with tools to interact with the dYdX v4 protocol, including transaction signing, order placement, and wallet management. With over $1.5 trillion in cumulative trading volume, dYdX represents a high-value target for attackers.

Suspected Developer Account Compromise

The rogue versions were published using legitimate publishing credentials, suggesting developer account compromise rather than technical exploitation of the registry itself. The threat actors demonstrated detailed knowledge of package internals, inserting malicious code into core registry files that would execute during normal package usage.

Ecosystem-Specific Attack Payloads

The compromised packages target both JavaScript and Python ecosystems with different payloads:

npm Package (JavaScript): - Cryptocurrency wallet stealer that extracts seed phrases and device information
- Sends sensitive data to attacker-controlled servers

PyPI Package (Python): - Wallet stealer functionality
- Remote access trojan (RAT) that contacts external server
- Executes attacker-supplied commands on Windows systems

The sophisticated obfuscation and coordinated cross-ecosystem deployment indicate advanced threat actors with deep infrastructure knowledge.

Historical Pattern of dYdX Targeting

This is not the first supply chain attack on the dYdX ecosystem. The organization has been targeted three times in four years, highlighting how adversaries focus on trusted distribution channels to reach cryptocurrency developers.

Response and Mitigation

Following responsible disclosure, dYdX acknowledged the incident and urged affected users to isolate affected machines, move funds to new wallets from clean systems, and rotate all API keys and credentials.

The legitimate dydx-v4-clients packages hosted on dYdX's Github repository do not contain malware.

TL;DR

- dYdX npm and PyPI packages compromised via developer account breach, distributing wallet stealers and RAT malware
- Attack demonstrates sophisticated knowledge of package internals with ecosystem-specific payloads for JavaScript and Python
- Pattern of persistent targeting of dYdX assets highlighting supply chain vulnerabilities in cryptocurrency development

**Source: The Hacker News