Several npm packages released by a major cryptocurrency exchange have been compromised and updated to contain malicious code
Decentralized cryptocurrency exchange (DEX) dydX tweeted its discovery of the compromise and how it was acting to remedy the issue.
"As of 6:14am EST, we have identified malicious builds released in various dYdX NPM packages that have been removed immediately," his tweet reads (opens in a new tab). "All funds are SAFE, our websites/apps were NOT compromised, the attack did NOT affect smart contracts."
Various packages spreading information thieves
Further explaining how user funds are not compromised, the company said: "Please remember that dYdX does not have custody of user funds, which are deposited directly into a smart contract on the blockchain."
Cybersecurity researcher Maciej Mensfeld of the security firm Mend and Difend.io discovered that some packages contained code that executed information-stealing malware when executed. He found three packages that were hacked for use in identity theft attacks (opens in a new tab).
- @dydxprotocol/solo - versions 0.41.1, 0.41.2
@dydxprotocol/perpetual - versions 1.2.2, 1.2.3
Apparently the '@dydxprotocol/node-service-base-dev' package was also compromised, but has since been removed from the platform.
The packages are described as "Ethereum Smart Contracts and TypeScript library used for dYdX solo trading protocol". The package alone, according to the post, is used by at least 44 GitHub repositories, built by "multiple crypto platforms."
This is apparently not the first time that malicious actors have attempted to smuggle this identical malware in multiple packages. In fact, BleepingComputer claims to have seen "strikingly identical" code to this in malicious Python "PyGrata" packages that stole Amazon Web Services (AWS) credentials, environment variables, and SSH keys.
Code repositories are often targeted by malicious actors who sometimes create malicious versions of popular repositories and give them similar names, hoping that overworked or reckless developers will unknowingly choose the wrong one.
Via: BleepingComputer (Opens in a new tab)