dYdX Distributes Malware That Steals Cryptocurrency Wallets
TL;DR
A cyber attack involving the <strong>dYdX</strong> protocol has compromised official packages, resulting in the distribution of <strong>malware</strong> capable of stealing digital wallets and installing a <strong>Remote Access Trojan (RAT)</strong>. This operation was discovered by cybersecurity firm <strong>Socket</strong> on January 27, 2026, and affected both <strong>npm</strong> and <strong>PyPI</strong> ecosystems, critical tools for developers.
A cyber attack involving the dYdX protocol has compromised official packages, resulting in the distribution of malware capable of stealing digital wallets and installing a Remote Access Trojan (RAT). This operation was discovered by cybersecurity firm Socket on January 27, 2026, and affected both npm and PyPI ecosystems, critical tools for developers.
The dYdX platform, a decentralized cryptocurrency exchange, has already processed over $1.5 trillion and its average daily volume ranges between $200 and $540 million. The packages @dydxprotocol/v4-client-js (npm) and dydx-v4-client (PyPI) are critical for developing applications that interact with the system, including wallet creation and management.
How the Attack Works
The attackers gained access to legitimate developers' credentials, releasing malicious versions of the packages in both repositories. Malicious code was inserted into essential files, such as registry.ts and account.py, compromising the system even when users were using the packages normally.
In the case of npm, the createRegistry() function was altered to capture the seed phrase (a password of 12 to 24 words) and send this information to a server controlled by the attackers. The seed phrase is crucial, as it provides full access to the cryptocurrency wallet.
Malware in npm and PyPI
The JavaScript malware not only steals credentials but also collects information from the victim's device, such as the computer name and operating system, which are transformed into a unique hash code. The code utilizes a try-catch that silently captures errors, ensuring that users do not notice the breach.
In the PyPI version, the attack is even more severe, as it installs a RAT that allows complete remote control of the victim's computer. The installation of this malware occurs disguised under the list_prices() function, which was supposed to only query trading prices.
Consequences of the Attack
The impacts are significant. Victims from npm with real seed phrases lost total access to their wallets, while PyPI users face an even greater risk, with attackers able to execute any code on their systems.
In addition to the theft of wallets, the RAT can obtain access credentials to servers and APIs, making the situation critical for developers who rely on the security of their tools. This is not the first attack aimed at dYdX; previous incidents have also exploited vulnerabilities in its operations.
Implications and Future Security
The complexity of the attack highlights the level of planning and technique involved, akin to actions by professional cybercrime groups. The incident demonstrates how much developers rely on packages from official repositories, emphasizing the need for stricter security assessments.
Developers should implement automated verification tools, monitor traffic, and adopt security practices such as the principle of least privilege. Moreover, keeping development environments separate from production is crucial to avoid future security breaches.
Content selected and edited with AI assistance. Original sources referenced above.
