Hackers Have Been Stealing Wallet Credentials from a Decentralized Crypto Exchange Using Malicious Packages on Popular Repositories.
A security firm has revealed that malicious packages published on the npm and PyPI repositories, two of the largest open-source package registries, have been used by hackers to steal wallet credentials from users of the dYdX cryptocurrency exchange. The attack, which is at least the third time dYdX has been targeted in recent years, highlights a persistent pattern of attackers exploiting trusted distribution channels.
The malicious code was embedded in legitimate packages and allowed thieves to exfiltrate sensitive information such as seed phrases that underpin wallet security. In some cases, the hackers also backdoored devices, enabling them to track victims across multiple compromises using their fingerprints.
The attack on dYdX began with packages published on npm, including versions 3.4.1 and 1.22.1 of the @dydxprotocol/v4-client-js library, as well as PyPI, where a malicious package called dydx-v4-client was uploaded. The malicious code contained a function that stole wallet credentials when a seed phrase was processed.
Researchers from security firm Socket warned that every application using these compromised packages is at risk, with direct impact including complete wallet compromise and irreversible cryptocurrency theft. They also noted that the attack scope includes all applications depending on the compromised versions and both developers testing with real credentials and production end-users.
The attackers used a remote access Trojan (RAT) to execute new malware on infected systems, allowing them to steal SSH keys, API credentials, and source code. The RAT was able to execute arbitrary Python code with user privileges and exfiltrate sensitive files, monitor user activity, modify critical files, and pivot to other systems on the network.
The incident highlights a disturbing trend of attackers targeting dYdX-related assets through trusted distribution channels. It is essential for users to carefully examine all apps for dependencies on the malicious packages listed above to prevent similar attacks in the future.
A security firm has revealed that malicious packages published on the npm and PyPI repositories, two of the largest open-source package registries, have been used by hackers to steal wallet credentials from users of the dYdX cryptocurrency exchange. The attack, which is at least the third time dYdX has been targeted in recent years, highlights a persistent pattern of attackers exploiting trusted distribution channels.
The malicious code was embedded in legitimate packages and allowed thieves to exfiltrate sensitive information such as seed phrases that underpin wallet security. In some cases, the hackers also backdoored devices, enabling them to track victims across multiple compromises using their fingerprints.
The attack on dYdX began with packages published on npm, including versions 3.4.1 and 1.22.1 of the @dydxprotocol/v4-client-js library, as well as PyPI, where a malicious package called dydx-v4-client was uploaded. The malicious code contained a function that stole wallet credentials when a seed phrase was processed.
Researchers from security firm Socket warned that every application using these compromised packages is at risk, with direct impact including complete wallet compromise and irreversible cryptocurrency theft. They also noted that the attack scope includes all applications depending on the compromised versions and both developers testing with real credentials and production end-users.
The attackers used a remote access Trojan (RAT) to execute new malware on infected systems, allowing them to steal SSH keys, API credentials, and source code. The RAT was able to execute arbitrary Python code with user privileges and exfiltrate sensitive files, monitor user activity, modify critical files, and pivot to other systems on the network.
The incident highlights a disturbing trend of attackers targeting dYdX-related assets through trusted distribution channels. It is essential for users to carefully examine all apps for dependencies on the malicious packages listed above to prevent similar attacks in the future.
hackers are just everywhere these days, i mean i know dYdX is a high-risk site but come on devs gotta take better care of their own security 
anyway if u use any crypto apps with the latest packages they can get pwned 
and its not like u even notice till ur credits r gone 
so yeah i guess check ur apps for malicious code before updating or something 
The fact that they could backdoor devices and track victims across multiple compromises? 
That's just plain creepy.
Can't be too careful, right?!
It's always better to be safe than sorry 
.
i feel bad 4 dYdX tho, dis is 3rd time they been targeted 
cuz right now, hackers r makin a mess & gettin rich off ur misery 
also, why do attackers need to use RATs to steal sensitive info? can't they just use phishing emails or something? 
i think its super important for ppl to be aware of this tho so they can protect themselves better 
.
! They should be using real credentials in dev mode, not just pretending to test everything 
. Don't let hackers ruin your day 
.