Cybersecurity researchers have discovered a new supply chain attack that compromises legitimate packages on npm and the Python Package Index (PyPI) repository, pushing malicious versions to facilitate wallet credential theft and remote code execution.
The compromised versions of the two packages are shown below.
“The @dydxprotocol/v4-client-js (npm) and dydx-v4-client (PyPI) packages provide tools for developers to interact with the dYdX v4 protocol, including transaction signing, order issuing, and wallet management,” said socket security researcher Kush Pandya. “Applications using these packages handle sensitive cryptocurrency operations.”
dYdX is a non-custodial decentralized cryptocurrency exchange that offers trading margin and perpetual swaps, giving users full control over their assets. The DeFi exchange says on its website that its cumulative trading volume has exceeded $1.5 trillion.
At this time, the following is how these harmful updates were pushed, but we suspect it to be a case of developer account compromise, as the malicious versions were being published using legitimate publishing credentials.
Changes introduced by threat actors have been found to target both JavaScript and Python ecosystems with different payloads. In the case of npm, the malicious code acts as a cryptocurrency wallet stealer that siphons seed phrases and device information. Meanwhile, the Python package also includes a remote access trojan (RAT) along with wallet stealer functionality.
The RAT component runs as soon as the package is imported and connects to the external server (‘dydx.priceoracle’).[.]site/py”) to retrieve the command for subsequent execution on the host. On Windows systems, use the “CREATE_NO_WINDOW” flag to run without a console window.
“Threat actors demonstrated detailed knowledge of the package internals and injected malicious code into core registry files (registry.ts, registry.js, account.py) that are executed during normal package usage,” Pandya said.
“The 100 iterative obfuscations and coordinated cross-ecosystem deployment in the PyPI version suggest that the threat actors were not exploiting technical vulnerabilities in the registry itself, but were accessing public infrastructure directly.”
Following responsible disclosure on January 28, 2026, dYdX acknowledged the incident in a series of posts about X, urging users who may have downloaded the compromised version to isolate affected machines, move funds from clean systems to new wallets, and rotate all API keys and credentials.
“The version of dydx-v4-clients hosted on dydxprotocol Github does not contain any malware,” it added.
This is not the first time the dYdX ecosystem has been the target of supply chain attacks. In September 2022, Mend and Bleeping Computer reported a similar incident in which a dYdX staff member’s npm account was hijacked and published new versions of multiple npm packages containing code that stole credentials and other sensitive data.
Two years later, the exchange also revealed that websites related to the now-defunct dYdX v3 platform had been compromised and redirected users to phishing sites in an attempt to drain their wallets.
“When viewed in conjunction with the 2022 npm supply chain breach and 2024 DNS hijacking incident, this attack highlights a persistent pattern of threat actors targeting dYdX-related assets through trusted distribution channels,” Socket said.
“Nearly identical credential theft implementations across languages indicate deliberate planning. The attackers maintained consistent theft endpoints, API keys, and device fingerprinting logic while deploying ecosystem-specific attack vectors. The npm version focuses on credential theft, while the PyPI version adds persistent system access.”
Supply chain risks due to non-existent packaging
The disclosure came as Aikido detailed how npm packages referenced in README files and scripts but not actually published pose an attractive supply chain attack vector, allowing threat actors to distribute malware by publishing packages under those names.
The discovery is the latest sign that software supply chain threats are becoming increasingly sophisticated, allowing malicious attackers to exploit the trust associated with open source repositories to compromise multiple users at once.
“Sophisticated attackers are moving up the software supply chain because they are provided with a deep, low-noise initial access path to downstream environments,” said Sygnia’s Omer Kidron.
“The same approach supports both precision compromise (specific vendors, maintainers, build IDs) and large-scale opportunistic attacks (‘spraying’) through a widely trusted ecosystem, and is relevant to all organizations, whether or not they see themselves as the primary target. ”
According to Aikido’s analysis, the 128 phantom packages recorded a total of 121,539 downloads from July 2025 to January 2026, with an average of 3,903 downloads per week, rising to a peak of 4,236 downloads last month. The most downloaded packages are:
openapi-generator-cli (48,356 downloads), imitates @openapitools/openapi-generator-cli cucumber-js (32,110 downloads), @cucumber/cucumber depcruise (15,637 downloads), dependency-cruiser jsdoc2md (4,641 downloads) Mimics grpc_tools_node_protoc (4,518 downloads) vue-demi-switch (1,166 downloads)
“Openapi-generator-cli recorded 3,994 downloads in the past seven days alone,” said security researcher Charlie Eriksen. “That’s nearly 4,000 times in a week that someone tried to run a command that didn’t exist.”
This finding highlights a blind spot in npm’s typosquatting protection. This protection actively blocks attempts to request names that are spelled similarly to existing packages, but does not prevent users from creating packages with names that are not registered in the first place, since there is nothing to compare them to.
To reduce this risk of npx disruption, Aikido recommends taking the following steps:
Use “npx –no-install” to block registry fallbacks so installation fails if the package is not found locally Explicitly install CLI tools Ensure the package exists if the documentation asks the user to run it Register obvious aliases and misspellings to prevent requests from malicious actors
“There are millions of packages in the npm ecosystem,” says Eriksen. “Developers run the npx command thousands of times every day. The gap between ‘convenient default’ and ‘arbitrary code execution’ is one unrequested package name.”
Source link
