Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise

Socket's Threat Research Team uncovered a supply chain attack targeting the dYdX protocol package in the npm and PyPI ecosystems, affecting applications using these packages for sensitive cryptocurrency operations. The compromised versions introduced malicious payloads, including a cryptocurrency wallet stealer in npm and an additional Remote Access Trojan (RAT) in PyPI, posing a significant threat to developers and users in the JavaScript and Python communities. This attack is part of a persistent pattern of targeting dYdX-related infrastructure, with the threat actor having detailed knowledge of the package internals, suggesting a possible developer account compromise. The attack exploited legitimate publishing credentials to insert malware deep within authentic package structures, bypassing standard security measures. The malicious infrastructure was set up with typosquatting domains to mimic legitimate services, and the RAT allowed for arbitrary code execution, increasing the impact on Python users. Socket detected the compromised packages quickly, and dYdX acknowledged the incident publicly, highlighting the need for robust defense strategies against such sophisticated supply chain attacks.