Security researchers have identified a supply chain attack targeting developers and users of the dYdX decentralized exchange. Malicious packages uploaded to the npm and PyPI repositories contained code designed to steal wallet credentials and backdoor systems, according to findings released by security firm Socket.
Socket stated on Friday that every application using the compromised npm versions is at risk. Direct impact includes complete wallet compromise and irreversible cryptocurrency theft. The attack scope includes all applications depending on the compromised versions and both developers testing with real credentials and production end-users.
The infected packages are npm (@dydxprotocol/v4-client-js) versions 3.4.1, 1.22.1, 1.15.2, and 1.0.31, along with PyPI (dydx-v4-client) version 1.1.5post1. These libraries are used by third-party apps for trading bots, automated strategies, or backend services that handle mnemonics or private keys for signing transactions on the dYdX platform.
dYdX is a decentralized derivatives exchange that supports hundreds of markets for perpetual trading, where users bet on the future value of derivatives using cryptocurrency. Socket reported that dYdX has processed over $1.5 trillion in trading volume over its lifetime, with an average trading volume of $200 million to $540 million and roughly $175 million in open interest.
The malware embedded in the npm package included a malicious function that activated when a seed phrase, which underpins wallet security, was processed. This function exfiltrated the seed phrase along with a fingerprint of the device running the application. The device fingerprint allowed the threat actor to correlate stolen credentials and track victims across multiple compromises.
Stolen data was sent to the domain dydx[.]priceoracle[.]site, which uses typosquatting to mimic the legitimate dYdX service at dydx[.]xyz. This technique aims to deceive users and systems into trusting the malicious domain as part of the exchange’s infrastructure.
