Open source packages published on the npm and PyPI repositories were laced with code that stole wallet credentials from dYdX developers and backend systems and, in some cases, backdoored devices, researchers said.
“Every application using the compromised npm versions is in danger ….” the researchers, from security firm Socket, said Friday. “Direct impact includes complete wallet compromise and irreversible cryptocurrency theft. The attack scope includes all applications depending on the compromised versions and each developers testing with real credentials and production end-users.”
Packages that were infected were:
npm (@dydxprotocol/v4-client-js):
- 3.4.1
- 1.22.1
- 1.15.2
- 1.0.31
PyPI (dydx-v4-client):
Perpetual trading, perpetual targeting
dYdX is a decentralized derivatives exchange that supports a whole bunch of markets for “perpetual trading,” or the usage of cryptocurrency to bet that the worth of a derivative future will rise or fall. Socket said dYdX has processed over $1.5 trillion in trading volume over its lifetime, with a mean trading volume of $200 million to $540 million and roughly $175 million in open interest. The exchange provides code libraries that allow third-party apps for trading bots, automated strategies, or backend services, all of which handle mnemonics or private keys for signing.
The npm malware embedded a malicious function within the legitimate package. When a seed phrase that underpins wallet security was processed, the function exfiltrated it, together with a fingerprint of the device running the app. The fingerprint allowed the threat actor to correlate stolen credentials to trace victims across multiple compromises. The domain receiving the seed was dydx[.]priceoracle[.]site, which mimics the legitimate dYdX service at dydx[.]xyz through typosquatting.
