Threat Actors Publish Malicious dYdX Packages to npm and PyPI Repositories

Cybersecurity firm Socket uncovered a supply chain attack where threat actors published malicious versions of dYdX client packages to npm and PyPI ecosystems.

This incident, detected on January 27, 2026, targeted developers using these tools for cryptocurrency trading on the decentralized exchange dYdX.

Attack Overview

Threat actors likely compromised a dYdX maintainer account to release poisoned packages. The affected npm package @dydxprotocol/v4-client-js versions are 3.4.1, 1.22.1, 1.15.2, and 1.0.31.

The PyPI package dydx-v4-client version 1.1.5post1 also carried malware.

These packages help developers interact with the dYdX v4 protocol for tasks like transaction signing and wallet management. dYdX handles over $1.5 trillion in lifetime trading volume across 240+ perpetual markets.

Malware hid in core files such as registry.ts (npm) and account.py (PyPI), executing during normal use.

Socket notified dYdX on January 28, prompting public warnings on X to isolate systems and rotate credentials.

Malware Mechanics

In npm versions, a tampered createRegistry() function steals seed phrases and device fingerprints. It sends data via POST to https://dydx.priceoracle.site/v4/price, a typosquatted domain mimicking dydx.xyz.

Device fingerprinting combines MAC address, hostname, OS details, and machine ID into a SHA-256 hash for victim tracking. An empty try-catch hides errors from developers.

PyPI versions add a Remote Access Trojan (RAT). A list_prices() function mirrors npm theft, while _bootstrap.py auto-runs an obfuscated payload from config.py. This uses 100 iterations of reverse, base64 decode, and zlib decompress before execution

The RAT beacons to https://dydx.priceoracle.site/py every 10 seconds using a hardcoded token: 490CD9DAD3FAE1F59521C27A96B32F5D677DD41BF1F706A0BF85E69CA6EBFE75. It fetches and runs Python code in hidden subprocesses, disabling SSL checks.

On Windows, CREATE_NO_WINDOW hides execution. Attackers gain user privileges for stealing SSH keys, API creds, source code, installing backdoors, and network pivoting.

The domain priceoracle.site registered January 9, 2026, now shows transfer locks post-reports.

dYdX faced npm compromises in September 2022, stealing creds, and DNS hijacking in July 2024, draining wallets via phishing.

Impacts include wallet drains for npm users and full system compromise for PyPI. Trading bots, algos, and DeFi apps are high-risk if using bad versions.

Mitigation Steps

• Audit dependencies; pin to safe versions from GitHub.
• Use tools like Socket scanner, GitHub App, and CLI for detection.
• Isolate machines, move funds from clean wallets, rotate keys.
• Block malicious IOCs: dydx.priceoracle.site endpoints, listed packages.

This multi-ecosystem attack (T1195.002) underscores supply chain risks in crypto dev tools. Developers must scan rigorously.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Threat Actors Publish Malicious dYdX Packages to npm and PyPI Repositories appeared first on Cyber Security News.