GitHub malicious-dependency incident touching protocol deps
dYdX v4 (dYdX Chain)'s assessment for RD-F-160 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
CONFIRMED active F160-class malicious-dependency incident. Packages @dydxprotocol/v4-client-js (npm versions 3.4.1, 1.22.1, 1.15.2, 1.0.31) and dydx-v4-client (PyPI version 1.1.5post1) were confirmed malicious releases. Detected by Socket.dev on January 27, 2026; disclosed to dYdX January 28, 2026 at 12:19 UTC. Malware payload: wallet stealer (seed phrase + device fingerprint exfiltration to dydx.priceoracle.site) in npm; wallet stealer plus RAT enabling arbitrary code execution in PyPI. Attack vector: developer account compromise on npm/PyPI publishing infrastructure (method unconfirmed per Socket). The on-chain v4-chain Go binary was NOT affected — only client SDK libraries. Packages accumulated 121,539 downloads between July 2025 and January 2026. dYdX acknowledged via X on January 28, 2026, urging users to isolate machines, move funds from a clean system, and rotate API keys.
Sources #
- URLCompromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT MalwareTheHackerNews — dYdX supply chain attack news reportretrieved 2026-05-17
- Malicious dYdX Packages Published to npm and PyPI After Main Developer Account CompromiseSocket.dev — full technical analysis of dYdX npm/PyPI supply chain attackretrieved 2026-05-17
- dYdX npm and PyPI Supply Chain Attack: Wallet Stealer and RAT MalwareRescana — dYdX npm and PyPI supply chain attack analysis with IOCsretrieved 2026-05-17
Methodology #
Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.
See the full factor methodology and distribution across all protocols →