Threat actors released malicious versions of dYdX client packages to npm and PyPI ecosystems as part of a supply chain attack, according to cybersecurity firm Socket This article explores malicious versions dydx. . The developers who used these tools to trade cryptocurrencies on the decentralized exchange dYdX were the target of this incident, which was discovered on January 27, 2026.

Overview of the Attack To release tainted packages, threat actors most likely gained access to a dYdX maintainer account. Versions 3.4.1, 1.22.1, 1.15.2, and 1.0.31 of the npm package @dydxprotocol/v4-client-js are impacted. Malware was also present in the PyPI package dydx-v4-client version 1.1.5post1. These packages facilitate developer interaction with the dYdX v4 protocol for tasks such as wallet management and transaction signing.

dYdX manages more than 240 perpetual markets with a lifetime trading volume of over $1.5 trillion. Core files like the registry are where malware hides.account.py (PyPI) and ts (npm), running during regular use.

On January 28, socket alerted dYdX, causing X to issue public warnings to isolate systems and change credentials. The mechanics of malware Device fingerprints and seed phrases are stolen by a tampered createRegistry() function in npm versions. Data is sent via POST to https://dydx.priceoracle.site/v4/price, a typosquatted domain that imitates dydx.xyz.

Device fingerprinting creates a SHA-256 hash for victim tracking by combining the machine ID, OS information, hostname, and MAC address. Errors are concealed from developers by an empty try-catch. Versions of PyPI include a Remote Access Trojan (RAT). While _bootstrap.py automatically executes an obfuscated payload from config.py, a list_prices() function mimics npm theft.

Prior to execution, 100 iterations of reverse, base64 decoding, and zlib decompression are used. Every ten seconds, the RAT uses the hardcoded token 490CD9DAD3FAE1F59521C27A96B32F5D677DD41BF1F706A0BF85E69CA6EBFE75 to beacon to https://dydx.priceoracle.site/py.

It disables SSL checks by retrieving and executing Python code in hidden subprocesses. CREATE_NO_WINDOW conceals execution on Windows. In order to install backdoors, pivot networks, steal source code, SSH keys, and API credentials, attackers obtain user privileges.

Following reports, the priceoracle.site domain, which was registered on January 9, 2026, now displays transfer locks. dYdX experienced DNS hijacking in July 2024, which resulted in wallet draining via phishing, and npm compromises in September 2022, which resulted in credential theft. The effects include full system compromise for PyPI and wallet drains for npm users. Using faulty versions of trading bots, algos, and DeFi apps puts you at serious risk.

Steps for Mitigation Pin to safe versions from GitHub and audit dependencies. For detection, use tools such as the CLI, GitHub App, and Socket scanner. Rotate keys, transfer money from clean wallets, and isolate machines.

Block malicious IOCs, such as listed packages and dydx.priceoracle.site endpoints. The supply chain risks in crypto development tools are highlighted by this multi-ecosystem attack (T1195.002). Developers need to do a thorough scan.