The researchers said that open source packages published on the NPM and PyPI repositories were equipped with code that stole wallet credentials from dYdX developers and backend systems and, in some cases, backdoor devices.
“Every application using infected NPM versions is at risk….” Researchers at security firm Socket said on Friday. “The direct impact includes complete wallet compromise and irreversible cryptocurrency theft. The scope of the attack includes all applications based on the compromised versions and both developers testing them with real credentials and production end users.”
The packages that were infected were:
npm (@dydxprotocol/v4-client-js):
- 3.4.1
- 1.22.1
- 1.15.2
- 1.0.31
PEPI (dydx-v4-client):
Sustainable business, sustainable targeting
dYdX is a decentralized derivatives exchange that supports hundreds of markets for “perpetual trading,” or using cryptocurrencies to bet on whether the future value of a derivative will rise or fall. Socket said that dYdX has processed more than $1.5 trillion in trading volume over its lifetime, with an average trading volume of $200 million to $540 million and approximately $175 million in open interest. The exchange provides code libraries that allow third-party apps for trading bots, automated strategies, or backend services, all of which handle mnemonics or private keys, to perform signing.
NPM malware embeds a malicious function in a legitimate package. When a seed phrase that underlies wallet security was processed, the function spit it out along with the fingerprint of the device running the app. Fingerprints allowed the threat actor to correlate stolen credentials to track victims across multiple compromises. The domain that received the seed was dydx[.]priceoracle[.]Site that mimics the legitimate dYdX service on dydx[.]xyz through typosquatting.
<a href