DYdX npm and PyPI wallet stealer and RAT payloads
Malware Activity
Summary
Hide ▲
Show ▼
The dYdX npm and PyPI packages now deliver a wallet stealer and RAT payload, creating immediate risk of seed phrase theft and host compromise. The npm variant siphons seed phrases and device information, while the PyPI version also retrieves commands for remote execution. The activity matters because it turns trusted package updates into a path for stealing crypto credentials and gaining persistent access.
Related Happenings
Malicious npm and PyPI payment SDK typosquat packages
Malware Activity
H score40
First: 09.07.2026 18:09
Last: 09.07.2026 18:09
Sources 1
About this happening:
The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI payment SDK typosquat packages
Malware ActivityAbout this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware Activity
H score37
First: 08.07.2026 22:54
Last: 08.07.2026 22:54
Sources 1
About this happening:
Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware ActivityAbout this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
Operation Navy Ghost PyPI supply-chain campaign
Campaign
H score26
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Operation Navy Ghost PyPI supply-chain campaign
CampaignAbout this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Shai-Hulud PyPI supply-chain malware activity
Malware Activity
H score22
First: 08.06.2026 23:41
Last: 08.06.2026 23:41
Sources 1
About this happening:
The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Shai-Hulud PyPI supply-chain malware activity
Malware ActivityAbout this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Timeline
-
06.02.2026 10:40 1 articles · 5mo ago
dYdX package compromise delivers wallet stealer and RAT
Initial DisclosureCybersecurity researchers disclosed a supply chain compromise affecting dYdX npm and PyPI packages, including @dydxprotocol/v4-client-js versions 3.4.1, 1.22.1, 1.15.2, and 1.0.31 and dydx-v4-client 1.1.5post1. The poisoned npm code siphons wallet seed phrases and device information, while the PyPI package also drops a RAT that imports commands from dydx.priceoracle[.]site/py; malicious code was inserted into registry.ts, registry.js, and account.py. dYdX later said users who may have downloaded the compromised versions should isolate affected machines, move funds to a new wallet from a clean system, and rotate API keys and credentials after responsible disclosure on January 28, 2026.
Show sources
- Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware — thehackernews.com — 06.02.2026 10:40