MALICIOUS packages published to npm and PyPI for the dYdX cryptocurrency exchange were found to exfiltrate wallet credentials from developers and backend systems and, in some cases, backdoor devices, according to Socket. Every application using the compromised versions is at risk, with direct impact including complete wallet compromise and irreversible cryptocurrency theft, the researchers said on Friday.
The npm package infected the v4 client-js library and certain versions, while the PyPI entry named dydx-v4-client 1.1.5post1 carried a parallel credential theft function and a remote access Trojan that could receive commands from a domain registered on January 9, 17 days before the PyPI upload.
The RAT runs as a background daemon, beacons every 10 seconds, and can execute Python code with user privileges, steal SSH keys and API credentials, install persistent backdoors, and exfiltrate sensitive files, according to Socket. This incident is at least the third time dYdX has been targeted, following a 2022 npm supply‑chain compromise and a 2024 DNS hijacking event that redirected users to a malicious site prompting signed transactions.