Researchers reported that open-source packages on the npm and PyPI registries contained code that exfiltrated wallet credentials from dYdX developers and backend systems and, in some cases, implanted backdoors on devices.
“Any application using the compromised npm releases is exposed ….” the researchers, from security firm Socket, said Friday. “Immediate consequences include full wallet takeover and irreversible loss of cryptocurrency. The incident affects all software depending on the compromised versions, encompassing developers who test with real credentials as well as production end users.”
The compromised packages included:
npm (@dydxprotocol/v4-client-js):
- 3.4.1
- 1.22.1
- 1.15.2
- 1.0.31
PyPI (dydx-v4-client):
- 1.1.5post1
Perpetual trading, persistent targeting
dYdX runs a decentralized derivatives exchange that hosts hundreds of markets for “perpetual trading,” where cryptocurrency is used to speculate on the direction of a derivative’s value. Socket said dYdX has processed more than $1.5 trillion in trading volume to date, with typical trading volumes ranging from $200 million to $540 million and roughly $175 million in open interest. The platform provides SDKs and libraries that third parties use to build trading bots, automated strategies, or backend services, many of which handle mnemonics or private keys for signing.
The malicious npm package injected a rogue function into the genuine library. When a wallet seed phrase was handled, the function stole it and sent it out along with a device fingerprint. That fingerprint enabled the attacker to link stolen credentials and track victims across multiple compromises. The seed phrases were sent to dydx[.]priceoracle[.]site, a typosquatting domain impersonating the legitimate dYdX site at dydx[.]xyz.
