Executive Summary
In early February 2026, dYdX, a decentralized cryptocurrency exchange, experienced a significant supply chain attack. Malicious actors compromised legitimate npm and PyPI packages—@dydxprotocol/v4-client-js and dydx-v4-client, respectively—by publishing infected versions using legitimate developer credentials. These compromised packages were designed to steal wallet credentials and, in the case of the PyPI package, deploy a remote access trojan (RAT) for executing arbitrary commands on affected systems. The attack underscores the vulnerabilities inherent in software supply chains and the potential for widespread impact when trusted distribution channels are exploited.
This incident highlights a persistent pattern of adversaries targeting dYdX-related assets through trusted distribution channels, following similar attacks in 2022 and 2024. The coordinated cross-ecosystem deployment and sophisticated obfuscation techniques suggest that threat actors had direct access to publishing infrastructure, emphasizing the need for enhanced security measures in software development and distribution processes.
Why This Matters Now
The dYdX supply chain attack underscores the escalating threat of software supply chain compromises, particularly in the cryptocurrency sector. As decentralized finance platforms continue to grow, they become increasingly attractive targets for cybercriminals. This incident serves as a critical reminder for organizations to implement stringent security protocols, conduct regular audits of third-party dependencies, and enhance monitoring of software distribution channels to prevent similar attacks.
Attack Path Analysis
The attack began with the compromise of developer accounts, allowing adversaries to publish malicious versions of dYdX client libraries on npm and PyPI repositories. Upon installation, these packages executed code to steal wallet credentials and, in the case of the PyPI package, deployed a remote access trojan (RAT) for persistent access. The RAT enabled attackers to move laterally within the network, executing arbitrary commands and accessing sensitive data. Command and control were maintained through communication with external servers, facilitating ongoing exploitation. Exfiltration of stolen credentials and data occurred via these established channels. The impact included unauthorized access to cryptocurrency wallets, potential financial losses, and compromised system integrity.
Kill Chain Progression
Initial Compromise
Description
Adversaries compromised developer accounts to publish malicious versions of dYdX client libraries on npm and PyPI repositories.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Compromise Software Dependencies and Development Tools
User Execution: Malicious Library
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: Python
Application Layer Protocol: Web Protocols
Screen Capture
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and scripts
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Data Security
Control ID: Pillar 3: Data
NIS2 Directive – Supply Chain Security
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Supply chain attacks targeting cryptocurrency packages expose trading platforms to wallet theft, fund drainage, and regulatory compliance violations across financial ecosystems.
Computer Software/Engineering
Compromised npm and PyPI packages create direct developer environment infiltration risks, enabling RAT deployment and credential theft through trusted development dependencies.
Internet
Cross-platform package poisoning affects web-based cryptocurrency exchanges and DeFi platforms, compromising user funds through legitimate distribution channels and developer toolchains.
Information Technology/IT
Supply chain compromise demonstrates sophisticated targeting of development infrastructure, requiring enhanced egress filtering and zero trust segmentation for software supply chains.
Sources
- Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malwarehttps://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.htmlVerified
- Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromisehttps://socket.dev/blog/malicious-dydx-packages-published-to-npm-and-pypiVerified
- Malicious packages for dYdX cryptocurrency exchange empties user walletshttps://arstechnica.com/security/2026/02/malicious-packages-for-dydx-cryptocurrency-exchange-empties-user-wallets/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial compromise of developer accounts, it could limit the subsequent impact by restricting unauthorized access paths within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls between workloads.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized outbound communications to external command and control servers.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by controlling and monitoring outbound traffic.
While Aviatrix CNSF may not prevent the initial unauthorized access, it could likely reduce the overall impact by limiting the attacker's ability to move laterally and exfiltrate data.
Impact at a Glance
Affected Business Functions
- Cryptocurrency Trading Operations
- Wallet Management Services
- Automated Trading Systems
Estimated downtime: 7 days
Estimated loss: $5,000,000
Compromised wallet credentials leading to unauthorized access and potential theft of cryptocurrency assets.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malicious activity within the network.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unauthorized access and unusual behavior promptly.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network traffic and detect anomalies across cloud environments.
- • Apply Inline IPS (Suricata) to inspect and block known exploit patterns and malicious payloads in real-time.
