dYdX npm and PyPI Packages Compromised in Supply Chain Attack
On January 28, 2026, security researchers at Socket discovered that official dYdX client libraries on npm and PyPI had been compromised with wallet-stealing malware, marking one of the most significant supply chain attacks in DeFi history.
What Happened
Malicious actors gained access to the publishing credentials for dYdX's official JavaScript (npm) and Python (PyPI) client libraries and published backdoored versions:
- Affected packages: `@dydxprotocol/v4-client-js` and `dydx-v4-client` (Python)
- Malware behavior: The malicious code attempted to exfiltrate private keys and seed phrases from users' environments
- Discovery: Socket's automated package analysis flagged suspicious network calls in the updated packages
Timeline
- Compromise detected: January 28, 2026, by Socket security
- Public disclosure: Socket published findings within hours
- dYdX response: Acknowledged the incident and urged users to update
- Clean versions: Patched packages published the same day
Impact Assessment
- Developer-facing risk — primarily affected developers building on dYdX, not end users of the dYdX interface
- No smart contract compromise — the dYdX Chain itself was not affected
- Limited exposure window — the malicious packages were live for less than 24 hours
Lessons
This incident highlights the growing risk of supply chain attacks in the crypto ecosystem:
- Package registries (npm, PyPI) are increasingly targeted
- Even established protocols can have their distribution channels compromised
- Developers should verify package integrity and use lock files
- Multi-factor authentication for package publishing is essential