A number of NPM packages used by the popular DeFi exchange dYdX appear to have been hacked as the packages were discovered to include illegal code that, when installed on a system, would launch info stealers.
Diffend.io creator Maciej Mensfeld, a security researcher at the Mend software supply chain security company, reported discovering numerous corrupted npm packages that were secretly installing info stealers.
This exploit appears to be the result of the attacker gaining control of the NPM account of a dYdX employee and using it to upload updated versions of credible packages.
The user account belonging to a dYdX employee submitted the updated 1.2.2 version of the NPM packages “@dydxprotocol/perpetual” at 10:37 on September 23. This version includes a new preinstall script.
The attacker appears to have a predefined set of operations they want to carry out on the victim’s computer before opening a channel for arbitrary code execution, essentially stealing their environment variables and login information for numerous services.
By uploading the poisoned version 0.41.1 of the package “@dydxprotocol/solo”, the exact same attack using the identical preinstall script was conducted.
Version 0.2.10 of a different package, “@dydxprotocol/node-service-base-dev”, which was published at the same time as this incident, was similarly infected.
Additionally, this timing matches dYdX’s official tweet announcing this attack.
The Ethereum Smart Contracts and TypeScript library used for the dYdX Solo Trading Protocol is made up of these packages.
dYdX reported that all funds are safe following the incident. The exchange added that its websites and apps have not been compromised and the attack did not impact smart contracts.
The exchange tweeted “Reminder that dYdX does not have custody of user funds, which are deposited directly to a smart contract on the blockchain.”