Malicious packages for dYdX cryptocurrency exchange empties user wallets

This article details a series of malicious attacks targeting the dYdX cryptocurrency exchange. Researchers from the security firm Socket discovered that malicious packages published on the npm and PyPI repositories were laced with code that stole wallet credentials from dYdX developers and backend systems, and in some cases, backdoored devices. The stolen credentials allowed the threat actors to completely compromise user wallets and steal their cryptocurrency. The attack scope included all applications depending on the compromised versions, affecting both developers testing with real credentials and production end-users. This incident is at least the third time dYdX has been targeted, following a 2022 npm supply chain compromise and a 2024 DNS hijacking incident. The article emphasizes the persistent pattern of adversaries targeting dYdX-related assets through trusted distribution channels, highlighting the need for users to carefully examine all apps for dependencies on the malicious packages identified.