Incident is at least the third time the exchange has been targeted by thieves:
Open source packages published on the npm and PyPI repositories were laced with code that stole wallet credentials from dYdX developers and backend systems and, in some cases, backdoored devices, researchers said.
"Every application using the compromised npm versions is at risk ...." the researchers, from security firm Socket, said Friday. "Direct impact includes complete wallet compromise and irreversible cryptocurrency theft. The attack scope includes all applications depending on the compromised versions and both developers testing with real credentials and production end-users."
Packages that were infected were:
dYdX is a decentralized derivatives exchange that supports hundreds of markets for "perpetual trading," or the use of cryptocurrency to bet that the value of a derivative future will rise or fall. Socket said dYdX has processed over $1.5 trillion in trading volume over its lifetime, with an average trading volume of $200 million to $540 million and roughly $175 million in open interest. The exchange provides code libraries that allow third-party apps for trading bots, automated strategies, or backend services, all of which handle mnemonics or private keys for signing.
[...] The malicious code available on PyPI contained the same credential theft function, although it also implemented a remote access Trojan (RAT) that allowed the execution of new malware on infected systems. The backdoor received commands from dydx[.]priceoracle[.]site. The domain was registered on January 9, 17 days before the malicious package was uploaded to PyPI.
The RAT, Socket said:
- Runs as a background daemon thread
- Beacons to the C2 server every 10 seconds
- Receives Python code from the server
- Executes it in an isolated subprocess with no visible output
- Uses a hardcoded authorization token: 490CD9DAD3FAE1F59521C27A96B32F5D677DD41BF1F706A0BF85E69CA6EBFE75
Once installed, the threat actors could:
- Execute arbitrary Python code with user privileges
- Steal SSH keys, API credentials, and source code
- Install persistent backdoors
- Exfiltrate sensitive files
- Monitor user activity
- Modify critical files
- Pivot to other systems on the network
Socket said the packages were published to npm and PyPI by official dYdX accounts, an indication that they were compromised and used by the attackers. dYdX officials didn't respond to an email seeking confirmation and additional details.
The incident is at least the third time dYdX has been targeted in attacks. Previous events include a September 2022 uploading of malicious code to the npm repository and the commandeering in 2024 of the dYdX v3 website through DNS hijacking. Users were redirected to a malicious site that prompted them to sign transactions designed to drain their wallets.
"Viewed alongside the 2022 npm supply chain compromise and the 2024 DNS hijacking incident, this [latest] attack highlights a persistent pattern of adversaries targeting dYdX-related assets through trusted distribution channels," Socket said. "The threat actor simultaneously compromised packages in both npm and PyPI ecosystems, expanding the attack surface to reach JavaScript and Python developers working with dYdX."
Anyone using the platform should carefully examine all apps for dependencies on the malicious packages listed above.
(Score: 4, Touché) by ledow on Thursday February 12, @03:32PM (5 children)
Almost like a service that handles trillions of dollars of other people's money shouldn't be trusted if it's being constantly caught out by things which have relatively simple safeguards.
(Score: 4, Insightful) by epitaxial on Thursday February 12, @04:41PM (4 children)
More like you shouldn't blindly let high level scripting languages download and install code from any random source.
(Score: 2) by bloodnok on Thursday February 12, @08:01PM (3 children)
Yep.
I am currently working on a command-line replacement for the Arduino IDE. It is mostly written in GNU make but there are some ancillary services for parsing and so on that I have implemented in shell and gawk. This would be much easier in a high-level language like Python but: it's another dependency, and it would be a dependency on packages that depend on other packages which depend....
There is no way that I would feel comfortable suggesting that other people should have to download stuff that I have not vetted, and that I cannot vet because it is always changing. I'm not a fan of using the lowest common denominator toolsets, but they are stable, well tested, and about as secure as any software can be. As they are generally packaged by distributions with at least some level of quality control I am pretty comfortable using them and recommending them to others.
It is a pretty sad state of affairs when the choice is between richly functional, easy to use tools, which allow for much cleaner, more easily verified, code but have been shown to have an ecosystem that allows for malware to be embedded, or rock-solid but primitive tools, which require fairly ugly coding techniques and way more effort to achieve the same ends.
I guess the tin-foil hatter in me won over the lazy git this time.
__
The Major
(Score: 2) by Unixnut on Friday February 13, @12:55AM (2 children)
A bit of a side track on the original article, but there already exists [freebsd.org] a CLI Makefile based Arduino build system. I've been using it for years, almost as soon as I got into Arduino as I found their IDE sub-par, to put it nicely (and I prefer the command line). As I don't know how it compares to your project I can't say if it matches your needs, but if nothing else it may give you some ideas about how to handle things when you see how others solved it in a similar situation.
As for the article, well you should not download random code off the internet and execute it. Proper OS packages (properly signed, hashed and verified) are one thing, but in the last few years every popular language seems to have cobbled together a half-assed attempt at a package manager without even looking at how others did it properly (and even then, bugs/security holes slip through), with the result of the above happening with increasing frequency.
As for npm, it seems to be the worst culprit in this area. Almost every time some major malicious package has been found, it usually in npm. I can only assume that those who work in that ecosystem don't have the best grasp of security and its implications, probably because javascript was always sandboxed inside a browser that took care of security (and everything else).
I find it quite amazing that nodejs ever took off. Javascript was always a clunky crap language on the browser, used because it was the only language available. I felt it was just cobbled together quickly in order to be first to market, but eventually it would be replaced with a proper system. Last thing I'd imagine is people wanting to use it outside the browser, where there are alternative languages, 99% of them better. Yet here we are, with all the corresponding problems.
(Score: 2) by PiMuNu on Friday February 13, @02:10PM
PyPI is catching up with npm quickly...
(Score: 2) by bloodnok on Friday February 13, @06:36PM
Thanks, yes I've seen the Arduino CLI tools, as well as Arduino.mk, which I quite liked though I found it needed too much hand-holding and didn't support some of the things I wanted to do.
My project, dno: https://github.com/marcmunro/dno/ [github.com], takes things a whole lot further, automates pretty much everything that can be automated, uses really simple commands, and aims to provide useful and complete documentation. It also supports the development of unit testing for libraries and doxygen-based documentation builds.
The current (alpha) release is still a bit buggy but I'm, finally, implementing a test suite for it which is enabling me to find and fix bugs and keep them fixed. The next release should be pretty solid, and I'd expect that to be in a couple of months.
It's been working for me for a couple of years and I find it infinitely preferable to any other toolset I've tried but, of course, I'm biased.
If you want to try it, I'd appreciate bug reports.
__
The major