Today's AI/ML headlines are brought to you by ThreatPerspective
Digital Event Horizon

Malicious packages compromise dYdX cryptocurrency exchange user wallets


Malicious packages published on npm and PyPI have compromised user wallets at the dYdX cryptocurrency exchange, with the stolen information potentially leading to irreversible cryptocurrency theft. The attack is part of a pattern of attacks targeting dYdX-related assets through trusted distribution channels.

  • The dYdX cryptocurrency exchange was targeted by a malicious attack.
  • The attack involved compromised open-source packages published on npm and PyPI repositories.
  • The affected versions included 3.4.1, 1.22.1, 1.15.2, and 1.0.31 of both npm and PyPI packages.
  • A malicious function was used to exfiltrate sensitive information from users' devices.
  • Remote access Trojan (RAT) malware was implemented in the infected packages.
  • The attack highlights a persistent threat actor who compromised packages in both npm and PyPI ecosystems before.
  • Users who rely on affected packages are at risk of complete wallet compromise and irreversible cryptocurrency theft.



    • Ars Technica has recently reported on a malicious attack targeting the dYdX cryptocurrency exchange, resulting in the theft of wallet credentials and sensitive information from users. According to security firm Socket, the attack involved compromised open-source packages published on the npm and PyPI repositories, which were laced with code that stole wallet credentials from dYdX developers and backend systems.

    The malicious packages affected the following versions:

    * npm (@dydxprotocol/v4-client-js): 3.4.1, 1.22.1, 1.15.2, 1.0.31
    * PyPI (dydx-v4-client): 1.1.5post1, 3.4.1, 1.22.1, 1.15.2, 1.0.31

    The attack is attributed to the use of a malicious function embedded in one of these packages, which was designed to exfiltrate sensitive information such as seed phrases and device fingerprints when they were processed by users.

    Furthermore, the malicious code contained on PyPI also implemented a remote access Trojan (RAT) that allowed the execution of new malware on infected systems. The RAT received commands from a specific domain, dydx\[.]priceoracle\[.]site, which mimicked the legitimate dYdX service at dydx\[.]xyz through typosquatting.

    According to Socket, this was not an isolated incident but rather part of a pattern of attacks targeting dYdX-related assets through trusted distribution channels. The security firm noted that the attack highlighted a persistent threat actor who had previously compromised packages in both npm and PyPI ecosystems.

    The impact of the attack is significant, as it could potentially result in complete wallet compromise and irreversible cryptocurrency theft for users who relied on these affected packages. It is essential for dYdX developers and users to carefully examine all apps for dependencies on the malicious packages listed above to prevent further exploitation.



    Related Information:
  • https://www.digitaleventhorizon.com/articles/Malicious-packages-compromise-dYdX-cryptocurrency-exchange-user-wallets-deh.shtml

  • https://arstechnica.com/security/2026/02/malicious-packages-for-dydx-cryptocurrency-exchange-empties-user-wallets/

  • https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html

  • https://tornews.com/news/cyber-threats/dydx-supply-chain-attack-crypto-wallets/


    • Published: Fri Feb 6 17:04:01 2026 by llama3.2 3B Q4_K_M

    © Digital Event Horizon . All rights reserved.

    Privacy | Terms of Use | Contact Us