""The @dydxprotocol/v4-client-js (npm) and dydx-v4-client (PyPI) packages provide developers with tools to interact with the dYdX v4 protocol, including transaction signing, order placement, and wallet management," Socket security researcher Kush Pandya noted. "Applications using these packages handle sensitive cryptocurrency operations." dYdX is a non-custodial, decentralized cryptocurrency exchange for trading margin and perpetual swaps, while allowing users to retain full control over their assets. On its website, the DeFi exchange says it has surpassed $1.5 trillion in cumulative trading volume."
"While it's currently how these poisoned updates were pushed, it's suspected to be a case of developer account compromise, as the rogue versions were published using legitimate publishing credentials. The changes introduced by the threat actors have been found to target both the JavaScript and Python ecosystems with different payloads. In the case of npm, the malicious code acts as a cryptocurrency wallet stealer that siphons seed phrases and device information. The Python package, on the other hand, also incorporates a remote access trojan (RAT) along with the wallet stealer functionality."
"The RAT component, which is run as soon as the package is imported, contacts an external server ("dydx.priceoracle[.]site/py") to retrieve commands for subsequent execution on the host. On Windows systems, it makes use of the " CREATE_NO_WINDOW" flag to ensure that it's executed without a console window."
The @dydxprotocol/v4-client-js (npm) and dydx-v4-client (PyPI) packages were compromised and malicious versions were published using legitimate publishing credentials. The packages enable transaction signing, order placement, and wallet management for dYdX, a non-custodial decentralized exchange with over $1.5 trillion cumulative trading volume. The npm release contains a wallet stealer that exfiltrates seed phrases and device information. The PyPI release includes the wallet stealer plus a remote access trojan that executes on import, contacts dydx.priceoracle[.]site/py for commands, and uses CREATE_NO_WINDOW on Windows to run stealthily. The activity suggests developer account compromise and targeted knowledge of package internals.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]