Security researchers have found that open-source packages published on npm and PyPI for the dYdX ecosystem were altered to include code that steals wallet credentials from developers and backend systems, and in some cases backdoors devices.
Infected packages include npm’s @dydxprotocol/v4-client-js (versions 3.4.1, 1.22.1, 1.15.2, 1.0.31) and PyPI’s dydx-v4-client (1.1.5post1).
The malware was embedded in legitimate packages. When a seed phrase is processed, the code exfiltrates it along with a device fingerprint to a domain that mimics the legitimate dYdX site, dydx.priceoracle.site, via typosquatting.
The fingerprint enables attackers to correlate stolen credentials across victims and compromises, threatening any application that depends on the compromised versions and exposing both developers testing with real credentials and production end users to wallet theft.
Socket notes the incident is at least the third targeting of dYdX, following a 2022 npm supply-chain breach and a 2024 DNS hijack that redirected users to a malicious site attempting to sign transactions. The researchers warned that the attack demonstrates a persistent pattern of adversaries abusing trusted distribution channels to reach JavaScript and Python developers. Users are urged to audit dependencies and remove affected versions.
