Malicious packages empty dYdX user wallets

Researchers have revealed that bad actors are targeting dYdX and using malicious packages to empty its user wallets. According to the report, some open source packages published on the npm and PyPi repositories were laced with code that stole wallet credentials from dYdX developers and backend systems.

dYdX is a decentralized derivatives exchange that supports hundreds of markets for perpetual trading. In the report, researchers from security firm Socket mentioned that all the applications using the compromised npm versions are at risk. They claimed the direct impact of the attacks has included complete wallet compromise and crypto thefts. The attack scope includes all the applications that depend on the compromised version, and both developer testing with real credentials and production end-users.

Malicious packages breach wallets associated with dYdX

According to the report, some of the packages that have been infected include npm (@dydxprotocol/v4-client-js):(3.4.1, 1.22.1, 1.15.2, 1.0.31 versions) and PyPI (dydx-v4-client): (1.1.5post1 version). Socket mentioned that the platform has processed more than $1.5 trillion in trading volume since it made its debut in the decentralized finance industry, with an average trading volume of $200 million to $540 million. In addition, the platform also has about $175 million in open interest.

The exchange provides code libraries that allow third-party applications for trading bots, automated strategies, or backend services, all of which involve mnemonics or private keys for signing. The npm malware embedded a malicious function in the legitimate package. When a seed phrase that underpins a wallet’s security is processed, the function copies it along with a fingerprint of the device running the application.

The fingerprint allows the threat actor to match stolen credentials to victims across several compromises. The domain receiving the seed phrases is dydx[.]priceoracle[.]site, which mimics the legitimate dYdX service at dydx[.]xyz through typosquatting. The malicious code available on PyPI continued the same credential theft function, although it implements a remote access Trojan (RAT) that allows execution of new malware on already infected systems.

The researchers noted that the backdoor received commands from dydx[.]priceoracle[.]site, adding that the domain was created and registered on January 9, 17 days before the malicious package was uploaded to PyPI. According to Socket, the RAT runs as a background daemon thread, beacons to the C2 server at a 10-second interval, receives Python code from the server, and executes it in an isolated subprocess with no visible output. In addition, it also uses a hard-coded authorization token.

New attack showcases disturbing trend

Socket added that once installed, the threat actors were able to carry out arbitrary Python code with user privileges, steal SSH keys, API credentials, and source code. In addition, they could also install persistent backdoors, exfiltrate sensitive files, monitor user activity, and modify critical files. The researchers added that the packages were published to npm and PyPI using official dYdX accounts, which meant they were compromised and used by the attackers.

While dYdX is yet to release a statement addressing the issue, this is at least the third time that it has been targeted in attacks. The previous incident occurred in September 2022 when a malicious code was uploaded to the npm repository. In 2024, the dYdX website was commandeered after the V3 website was hijacked through DNS. Users were redirected to a malicious website that prompted them to sign transactions designed to drain their wallets.

Socket claimed that this latest incident highlights a disturbing pattern of adversaries targeting dYdX-related assets using trusted distribution channels. It noted that the attackers knowingly compromised packages in the npm and PyPI ecosystems to expand the attack surface to reach JavaScript and Python developers working with the platform. Anyone using the platform should carefully examine all applications for dependencies on the malicious packages.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.