Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

DYdX npm and PyPI wallet stealer and RAT payloads

Malware Activity
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The dYdX npm and PyPI packages now deliver a wallet stealer and RAT payload, creating immediate risk of seed phrase theft and host compromise. The npm variant siphons seed phrases and device information, while the PyPI version also retrieves commands for remote execution. The activity matters because it turns trusted package updates into a path for stealing crypto credentials and gaining persistent access.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Inactive maintainer account 'atiertant' hit by network compromise

Incident
First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

Open Happening

Lightning PyPI router_runtime.js credential-stealing payload

Malware Activity
First: 30.04.2026 19:31 Last: 30.04.2026 19:31 Sources 1

About this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...

Latest development: 04.05.2026 20:15

Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.

Open Happening

PromptMink malicious npm dependency stealing secrets and crypto wallets

Malware Activity
First: 29.04.2026 17:00 Last: 29.04.2026 17:00 Sources 1

About this happening: The **PromptMink** malicious npm dependency now poses an immediate theft risk because it is stealing sensitive data and exposing **crypto wallets** from infected environments. The...

Open Happening

Malicious npm packages @automagik/genie and pgserve self-propagating malware

Malware Activity
First: 24.04.2026 11:10 Last: 24.04.2026 11:10 Sources 1

About this happening: **Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...

Open Happening

Timeline

  1. 06.02.2026 10:40 1 articles · 3mo ago

    dYdX package compromise delivers wallet stealer and RAT

    Initial Disclosure

    Cybersecurity researchers disclosed a supply chain compromise affecting dYdX npm and PyPI packages, including @dydxprotocol/v4-client-js versions 3.4.1, 1.22.1, 1.15.2, and 1.0.31 and dydx-v4-client 1.1.5post1. The poisoned npm code siphons wallet seed phrases and device information, while the PyPI package also drops a RAT that imports commands from dydx.priceoracle[.]site/py; malicious code was inserted into registry.ts, registry.js, and account.py. dYdX later said users who may have downloaded the compromised versions should isolate affected machines, move funds to a new wallet from a clean system, and rotate API keys and credentials after responsible disclosure on January 28, 2026.

    Show sources
    Open in new tab