A sophisticated supply chain attack has been uncovered targeting the dYdX decentralized cryptocurrency exchange ecosystem, where malicious versions of official development packages published on the npm and PyPI repositories were found to contain malware that can steal wallet credentials and compromise user wallets, cybersecurity researchers say. The attack exploited trusted open-source components to trap developers and users relying on those libraries.
The incident illustrates how attackers are increasingly targeting software supply chains in the decentralized finance (DeFi) world, leveraging compromised developer accounts to inject harmful code into otherwise legitimate tools used by traders, bots, automated systems and backend services that interact with dYdX.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Malicious Packages Approved as Official dYdX Client Libraries
Security researchers at Socket discovered that several versions of widely used dYdX client libraries were compromised before publication, and the malicious code was embedded directly into the source packages by attackers using legitimate publishing credentials — likely obtained via account compromise.
The affected versions included:
- npm (
@dydxprotocol/v4-client-js)versions: 3.4.1, 1.22.1, 1.15.2, 1.0.31 - PyPI (
dydx-v4-client) version: 1.1.5post1
These packages are essential tools for developers building applications that interact with the dYdX v4 protocol, including transaction signing, wallet management, order placement and other sensitive DeFi operations.
How the Malware Worked
The malware functions differently depending on the environment:
npm Package (JavaScript)
- The malicious code was designed to exfiltrate wallet seed phrases along with device fingerprints when the compromised library processed sensitive cryptographic operations.
- Seed phrases are crucial — anyone with access to them can gain full control of a cryptocurrency wallet and drain funds irreversibly.
- The stolen data was sent to a typosquatted domain impersonating dYdX services (
dydx.priceoracle[.]site), allowing attackers to harvest credentials stealthily.
PyPI Package (Python)
- In addition to wallet credential theft, this compromised version included a Remote Access Trojan (RAT).
- The RAT, upon loading, connected periodically to a command-and-control (C2) server and could execute arbitrary code on the infected system with user privileges.
- This allowed attackers to steal SSH keys, API credentials, source code and other sensitive files — and maintain persistent backdoor access.
The domain receiving stolen data in both cases mimicked legitimate dYdX infrastructure, increasing the risk that developers would trust it.
dYdX Ecosystem Impact and Pattern of Attacks
dYdX is a non-custodial decentralized derivatives exchange that supports margin and perpetual trading across numerous markets, with cumulative trading volumes exceeding $1.5 trillion since inception.
This compromise follows earlier attacks targeting the dYdX ecosystem — including a 2022 npm supply chain compromise and a 2024 DNS hijacking incident that redirected users to phishing sites designed to drain wallets.
Security analysts say that the recurrence of attacks highlights persistent threat actors focusing on trusted distribution channels where developers and users assume safety. Supply chain threats are especially potent because they can affect many systems at scale without requiring direct exploitation of individual users.
What Developers and Users Should Do
In response to the incident, experts and the dYdX team have advised:
- Audit dependencies immediately — check if your development projects or automated systems use any of the compromised versions;
- Isolate affected systems — remove potentially infected machines from networks until they can be fully cleaned;
- Move funds to new wallets created on clean systems if your wallet seed phrase was processed with compromised code;
- Rotate all associated API keys and credentials that might have been exposed;
- Rely on verified clean versions hosted on official repositories, such as GitHub mirrors maintained by the dYdX developers — these remain unaffected by the attack.
The incident serves as a stark reminder that software supply chain security is as critical as network or application security, especially in decentralized finance where private keys and credentials directly control access to valuable assets.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
