-
dYdX platform, a decentralized site for crypto trading, witnessed a malicious attack, which aims to initiate wallet credential theft and remote code operations.
-
The attack impacted the protocol’s npm and PyPI repository.
-
On its official X Platform, dYdX acknowledges the incident and cautions the public to be more security conscious.
In a recent report, cybersecurity researchers have discovered a serious supply chain attack that affected the official dYdX software packages on both npm and PyPI. Developers on the protocol primarily use these two major code libraries.
Following the attack, the bad actors managed to publish malicious versions of these packages by breaking into the accounts of trusted maintainers. These versions include hidden code that they designed to steal wallet credentials and gain remote access to the affected machines of any user.
dYdX Ecosystem Suffers a Malicious Attack
The attack affected packages within the dYdX ecosystem, which developers use to build apps that interact with the dYdX decentralized exchange—a platform where users trade cryptocurrencies without intermediaries.
Because these packages perform sensitive tasks, such as signing/approving transactions and managing users’ digital wallets, compromising them can have big consequences for anyone who installs them unknowingly.
Security teams from Socket Security first spotted the issue and shared details in a report. They warned that these infected packages were real releases from dYdX’s registry accounts, which makes the attack much harder to spot without careful code review.
What the Malicious Code Does
The attack affects two main pieces of software:
- On npm (JavaScript): the package called @dydxprotocol/v4-client-js was published in several versions that contain hidden malware.
- On PyPI (Python): the dydx-v4-client package was also poisoned.
The malicious code on the npm package is a device backdoor that acts as a “wallet stealer.” It will automatically look for any cryptocurrency wallet credentials and other data on the user’s device; once found, it will send that data to the attacker.
The Python version is more dangerous. It facilitates the theft of the cryptocurrency wallet credentials and also has a RAT embedded in it. The effect of this RAT on end-users will be to provide the attacker with remote access to the user’s device.
Once a RAT infects a device, it connects to the attacker’s server and runs quietly in the background, waiting for commands while hiding itself from the user, for example, by not displaying any console windows on Windows systems.
Technically, this attack targets the software supply chain, meaning attackers inserted the malware into widely used packages upstream. This lets attackers reach many users at once because developers often install these packages without thinking twice.
Security experts warn that these kinds of attacks are rising. According to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), software supply chain threats have become a top concern for developers and companies because one infected component can spread malware widely.
dYdX Response and What Users Should Do
After it received a notification of this issue, dYdX has made a public acknowledgement of this breach; they have also advised users and developers to treat this threat with the highest level of seriousness.
In posts on the X social platform formerly known as Twitter, the firm said the official source code on GitHub does not include the malicious content, meaning that users who install code directly from GitHub instead of npm/PyPI can avoid the malware.
The team also recommended that anyone who might have downloaded the bad versions should:
- Isolate the affected computers and disconnect them from the internet or other systems to stop further damage.
- Move any cryptocurrency funds to a fresh wallet from a clean machine that hasn’t installed the compromised packages.
- Change all API keys and sensitive credentials exposed.
Major cybersecurity agencies like the FTC (Federal Trade Commission) advise individuals to secure their accounts and digital assets if they suspect their credentials have been compromised.
According to experts, developers should also improve their management of package publishing credentials through the use of strong passwords and two-factor authentication, which will assist in preventing unauthorized access to those credentials.
This isn’t the first time there has been a supply chain attack involving dYdX. In 2022, dYdX has been the target of multiple supply chain attacks against both its npm ecosystem and older platform infrastructure; evidence indicates that attackers are taking advantage of trusted development tools to carry out persistent patterns of exploitation.
Supply chain threats are rising as attackers target developer tools to deliver malware that infects thousands or millions of users undetected. It is essential for security professionals to maintain constant vigilance against such threats, even as law enforcement escalates its efforts to disrupt the very criminal networks that profit from these schemes.
