Home / Technology / Malware in dYdX Packages Steals Crypto Keys
Malware in dYdX Packages Steals Crypto Keys
7 Feb
Summary
- Malicious code in npm and PyPI packages stole developer wallet credentials.
- Attackers used typosquatting to mimic legitimate dYdX services.
- This is at least the third attack targeting dYdX assets.
Open-source packages associated with the decentralized derivatives exchange dYdX were compromised with malicious code designed to steal wallet credentials and backdoor systems. Researchers discovered infected packages on both the npm and PyPI repositories, posing a significant risk to applications that utilize these libraries.
The malware embedded within the npm package (@dydxprotocol/v4-client-js) exfiltrated seed phrases and device fingerprints, directing them to a typosquatted domain, dydx[.]priceoracle[.]site. The PyPI package (dydx-v4-client) contained similar credential-stealing functions, with the addition of a remote access Trojan (RAT) capable of executing arbitrary Python code on infected systems.
This incident represents at least the third attack targeting dYdX, following a malicious code upload in September 2022 and a DNS hijacking event in early 2024. The simultaneous compromise of packages across npm and PyPI underscores a pattern of adversaries targeting dYdX through trusted channels, expanding the attack surface to both JavaScript and Python developers.
