Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
A recent supply chain attack has drawn attention in the developer and crypto communities. On February 5, 2026, Socket’s security team detected malicious dYdX packages uploaded to npm and PyPI.
These releases disguised themselves as legitimate libraries but included hidden code capable of stealing wallet credentials and executing commands remotely, putting unsuspecting users at serious risk.
The investigation revealed that attackers had taken over the publication credentials of a dYdX maintainer, allowing them to push infected versions without triggering standard repository alerts. This account takeover was the confirmed vector of the incident.
Malicious code was embedded in production files, making it nearly invisible to standard audits. Developers installing these packages would see normal library behavior, while sensitive data like seed phrases could be exfiltrated silently.
The npm package @dydxprotocol/v4-client-js included routines that captured wallet mnemonics and device fingerprints. These details were transmitted to the command-and-control domain dydx.priceoracle[.]site/js.
On PyPI, the dydx-v4-client package (version 1.1.5post1) also stole credentials and implemented Remote Access Trojan (RAT) features. On Windows, it used the CREATE_NO_WINDOW flag to hide console execution, making its actions stealthy while sending data to dydx.priceoracle[.]site/py.
The compromised npm releases were 3.4.2, 1.22.2, 1.15.3, and 1.0.32. For PyPI, only dydx-v4-client 1.1.5post1 was affected. These packages are widely used in crypto trading bots, wallet management tools, and automation systems, meaning the attack could have far-reaching consequences in the DeFi ecosystem.
The supply chain compromise demonstrates how a single compromised maintainer account can endanger many users. Continuous monitoring and dependency verification are essential safeguards.
Developers should audit their dependencies, verify package integrity, and promptly update to safe versions. Awareness of supply chain risks is critical to prevent similar attacks in the future.
The detailed analysis by Socket reinforces that vigilance in the open-source ecosystem is a first line of defense against increasingly sophisticated attacks.
Even a minor package update can carry hidden threats. Users and developers alike must adopt a security-first mindset to protect sensitive crypto assets.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
