Cybersecurity researchers have discovered a new supply chain attack in which legitimate packages on npm and the Python Package Index (PyPI) repository have been compromised to push malicious versions to facilitate wallet credential theft and remote code execution.
The compromised versions of the two packages are listed below –
“The @dydxprotocol/v4-client-js (npm) and dydx-v4-client (PyPI) packages provide developers with tools to interact with the dYdX v4 protocol, including transaction signing, order placement, and wallet management,” Socket security researcher Kush Pandya noted. “Applications using these packages handle sensitive cryptocurrency operations.”
dYdX is a non-custodial, decentralized cryptocurrency exchange for trading margin and perpetual swaps, while allowing users to retain full control over their assets. On its website, the DeFi exchange says it has surpassed $1.5 trillion in cumulative trading volume.
While it’s currently how these poisoned updates were pushed, it’s suspected to be a case of developer account compromise, as the rogue versions were published using legitimate publishing credentials.
The changes introduced by the threat actors have been found to target both the JavaScript and Python ecosystems with different payloads. In the case of npm, the malicious code acts as a cryptocurrency wallet stealer that siphons seed phrases and device information. The Python package, on the other hand, also incorporates a remote access trojan (RAT) along with the wallet stealer functionality.
The RAT component, which is run as soon as the package is imported, contacts an external server (“dydx.priceoracle[.]site/py”) to retrieve commands for subsequent execution on the host. On Windows systems, it makes use of the “CREATE_NO_WINDOW” flag to ensure that it’s executed without a console window.
“The threat actor demonstrated detailed knowledge of the package internals, inserting malicious code into core registry files (registry.ts, registry.js, account.py) that would execute during normal package usage,” Pandya said.
“The 100-iteration obfuscation in the PyPI version and the coordinated cross-ecosystem deployment suggest the threat actor had direct access to publishing infrastructure rather than exploiting a technical vulnerability in the registries themselves.”
Following responsible disclosure on January 28, 2026, dYdX acknowledged the incident in a series of posts on X, and urged users who may have downloaded the compromised versions to isolate affected machines, move funds to a new wallet from a clean system, and rotate all API keys and credentials.
“The versions of dydx-v4-clients hosted in the dydxprotocol Github do not contain the malware,” it added.
This is not the first time the dYdX ecosystem has been the target of supply chain attacks. In September 2022, Mend and Bleeping Computer reported a similar case where the npm account of a dYdX staff member was hijacked to publish new versions of multiple npm packages that contained code to steal credentials and other sensitive data.
Two years later, the exchange also divulged that the website associated with its now-discontinued dYdX v3 platform was compromised to redirect users to a phishing site with the goal of draining their wallets.
“Viewed alongside the 2022 npm supply chain compromise and the 2024 DNS hijacking incident, this attack highlights a persistent pattern of adversaries targeting dYdX-related assets through trusted distribution channels,” Socket said.
“The nearly identical credential theft implementations across languages indicate deliberate planning. The threat actor maintained consistent exfiltration endpoints, API keys, and device fingerprinting logic while deploying ecosystem-specific attack vectors. The npm version focuses on credential theft, while the PyPI version adds persistent system access.”
Supply Chain Risks with Non-Existent Packages
The disclosure comes as Aikido detailed how npm packages referenced in README files and scripts but never actually published pose an attractive supply chain attack vector, allowing a threat actor to publish packages under those names to distribute malware.
The discovery is the latest manifestation of the growing sophistication of software supply chain threats, allowing bad actors to compromise several users at once by exploiting the trust associated with open-source repositories.
“Sophisticated attackers are moving upstream into the software supply chain because it provides a deep, low-noise initial access path into downstream environments,” Sygnia’s Omer Kidron said.
“The same approach supports both precision compromise (a specific vendor, maintainer, or build identity) and opportunistic attacks at scale (‘spray’) through widely trusted ecosystems — making it relevant to all organizations, regardless of whether they see themselves as primary targets.”
Aikido’s analysis found that the 128 phantom packages collectively racked up 121,539 downloads between July 2025 and January 2026, averaging 3,903 downloads per week and scaling a peak of 4,236 downloads last month. The packages with the most downloads are listed below –
- openapi-generator-cli (48,356 downloads), which mimics @openapitools/openapi-generator-cli
- cucumber-js (32,110 downloads), which mimics @cucumber/cucumber
- depcruise (15,637 downloads), which mimics dependency-cruiser
- jsdoc2md (4,641 downloads)
- grpc_tools_node_protoc (4,518 downloads)
- vue-demi-switch (1,166 downloads)
“Openapi-generator-cli saw 3,994 downloads in just the last seven days,” security researcher Charlie Eriksen said. “That’s nearly 4,000 times someone tried to run a command that doesn’t exist. In one week.”
The findings highlight a blind spot in npm’s typosquatting protections, which, while actively blocking attempts to claim names with similar spelling to that of existing packages, doesn’t prevent a user from creating packages with names that were never registered in the first place, as there is nothing to compare against.
To mitigate this risk with npx confusion, Aikido recommends taking the following steps –
- Use “npx –no-install” to block registry fallback, causing an installation to fail if a package is not found locally
- Install CLI tools explicitly
- Verify a package exists if the documentation asks users to run it
- Register obvious aliases and misspellings to prevent a bad actor from claiming them
“The npm ecosystem has millions of packages,” Eriksen said. “Developers run npx commands thousands of times daily. The gap between ‘convenient default’ and ‘arbitrary code execution’ is one unclaimed package name.”
