Listen to this Post
A new cybersecurity threat is sweeping through the cryptocurrency development world, targeting developers who rely on popular packages from npm and PyPI. Security researchers have uncovered a sophisticated supply chain attack that manipulates legitimate packages to steal wallet credentials and execute remote code. This alarming development highlights the growing risk of trusting widely used open-source tools without additional verification.
Compromised Packages Identified
The affected packages are integral to interacting with the dYdX v4 protocol, a decentralized exchange for margin and perpetual swaps. The malicious versions are as follows:
npm: @dydxprotocol/v4-client-js – 3.4.1, 1.22.1, 1.15.2, 1.0.31
PyPI: dydx-v4-client – 1.1.5post1
These packages enable developers to perform sensitive cryptocurrency operations, including transaction signing, order placement, and wallet management. According to Socket security researcher Kush Pandya, the attackers likely gained access through developer account compromise, as the rogue versions were published with legitimate credentials rather than exploiting registry vulnerabilities.
How the Attack Works
The attack uses different payloads depending on the ecosystem:
npm version: Acts as a cryptocurrency wallet stealer, siphoning seed phrases and device information.
PyPI version: Includes both the wallet stealer and a remote access trojan (RAT) that executes automatically when the package is imported. The RAT contacts an external server (dydx.priceoracle[.]site/py) for commands and hides itself on Windows systems using the CREATE_NO_WINDOW flag.
Pandya emphasized that the threat actor demonstrated deep knowledge of package internals, embedding malicious code in core files like registry.ts, registry.js, and account.py. The PyPI version even used 100 iterations of obfuscation, indicating meticulous planning and direct access to publishing infrastructure.
dYdX Response and Historical Context
Following responsible disclosure on January 28, 2026, dYdX warned users to:
Isolate affected machines
Transfer funds to a new wallet from a secure system
Rotate API keys and credentials
dYdX confirmed that the versions hosted on its official GitHub are safe. This is not the first attack against the ecosystem:
September 2022: npm accounts of dYdX staff were hijacked, leading to credential theft.
2024: The dYdX v3 website was compromised, redirecting users to a phishing site.
The repeated incidents underscore a pattern of adversaries targeting trusted distribution channels to compromise user assets.
Supply Chain Vulnerabilities Beyond dYdX
This attack also highlights a broader issue with software supply chains. Aikido’s research revealed phantom npm packages—names referenced in documentation but never published—that became vectors for malware. Between July 2025 and January 2026, 128 such packages collectively saw over 121,500 downloads, including:
openapi-generator-cli – 48,356 downloads
cucumber-js – 32,110 downloads
depcruise – 15,637 downloads
Developers using npx commands can unknowingly trigger arbitrary code execution if a package is unregistered, as npm’s typosquatting protections don’t prevent attackers from claiming unregistered names.
Recommended Mitigations
Experts suggest:
Using npx –no-install to block registry fallback
Installing CLI tools explicitly
Verifying package existence before execution
Registering common aliases to prevent malicious claims
What Undercode Says:
Escalating Risk in DeFi Ecosystems
The attack demonstrates the vulnerability of decentralized finance tools despite their “trustless” nature. Even when users maintain control of wallets, upstream developer accounts are weak points. Attackers exploiting npm and PyPI repositories can silently compromise thousands of wallets and systems without touching the exchange itself.
Sophistication of the Threat Actor
The malware’s cross-ecosystem design indicates a highly skilled attacker. Implementing credential theft on npm while adding persistent RAT access on PyPI shows careful planning for both immediate data exfiltration and long-term system compromise. The obfuscation and use of legitimate credentials further underline the actor’s sophistication.
Supply Chain Security Blind Spots
Phantom packages and typosquatting illustrate systemic weaknesses in open-source ecosystems. Millions of developers trust npx defaults, leaving an attack vector that doesn’t require exploiting technical vulnerabilities—just human assumptions. This incident is a wake-up call for organizations relying on package managers without additional verification and sandboxing.
Need for Continuous Monitoring and Verification
Given the recurring nature of attacks against dYdX (npm compromise in 2022, v3 phishing in 2024, and now supply chain attack in 2026), the ecosystem cannot rely solely on standard security practices. Developers and exchanges must implement automated package integrity checks, offline build verification, and behavioral analysis of packages to detect anomalous activity.
Wider Implications for Open-Source Dependency Management
The attack exemplifies a growing trend in upstream attacks: compromising trusted packages to gain downstream access. Organizations integrating open-source software must adopt supply chain threat modeling, identify critical dependencies, and educate developers on the dangers of blindly executing scripts from package managers.
Best Practices Moving Forward
Treat all external packages as potentially untrusted
Validate checksums and signatures before use
Isolate development environments from production wallets
Monitor registry activity for unexpected updates or new releases
This layered defense approach is no longer optional but essential for anyone working in cryptocurrency or DeFi development.
🔍 Fact Checker Results
✅ The compromised npm and PyPI package versions are accurately listed.
✅ dYdX publicly acknowledged the attack on January 28, 2026.
❌ No evidence suggests a technical vulnerability in the registries was exploited; the attack relied on compromised credentials.
📊 Prediction
The frequency and sophistication of attacks targeting dYdX suggest a continued risk to DeFi ecosystems via supply chain compromises. Attackers are likely to expand tactics, targeting other high-value libraries with cross-platform payloads. Organizations and developers who fail to implement verification, monitoring, and isolation protocols may face significant financial losses in the next 12–24 months. The era of trusting package managers by default is over—supply chain security will become the next frontier in cryptocurrency defense.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
