DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-4F84-67CV-QRV3: The Spice Must Flow... Into the Attacker's Wallet: Inside the dYdX Supply Chain Hack

#security #cve #cybersecurity #ghsa

The Spice Must Flow... Into the Attacker's Wallet: Inside the dYdX Supply Chain Hack

Vulnerability ID: GHSA-4F84-67CV-QRV3
CVSS Score: 10.0
Published: 2026-02-06

In early February 2025, the official client libraries for the dYdX decentralized exchange were poisoned with malware. This wasn't a clever buffer overflow or a race condition; it was a brutal supply chain compromise where attackers seized control of developer accounts to publish malicious versions (PyPI 1.1.5post1 and npm 3.4.1 et al.). The payload, part of the 'Shai Hulud' campaign, turned developer workstations into open books, exfiltrating crypto wallets, SSH keys, and GitHub tokens before the victims even finished their morning coffee.

TL;DR

Attackers compromised dYdX maintainer accounts and published malicious updates to PyPI and npm. The infected packages contained an obfuscated infostealer (Shai Hulud) that activates upon installation, stealing secrets, wallets, and credentials. Immediate remediation involves identifying affected versions, wiping environments, and rotating all credentials.

⚠️ Exploit Status: ACTIVE

Technical Details

  • Attack Vector: Supply Chain / Malicious Package
  • CVSS: 10.0 (Critical)
  • Impact: RCE, Data Exfiltration, Credential Theft
  • Payload Type: Infostealer / RAT (Shai Hulud)
  • Affected Ecosystems: PyPI, npm
  • Technique: Typosquatting / Account Takeover

Affected Systems

  • Python Development Environments
  • Node.js Development Environments
  • CI/CD Pipelines using dYdX clients
  • Cryptocurrency Trading Bots
  • dydx-v4-client (PyPI): 1.1.5post1 (Fixed in: 1.1.5)
  • @dydxprotocol/v4-client-js (npm): 3.4.1, 1.22.1, 1.15.2, 1.0.31 (Fixed in: N/A (Downgrade required))

Mitigation Strategies

  • Dependency Pinning with Hash Checking
  • Behavioral Analysis of Dependencies (e.g., Socket)
  • Least Privilege for CI/CD Tokens
  • Developer Identity Verification

Remediation Steps:

  1. Identify installed versions: pip list | grep dydx or npm list @dydxprotocol/v4-client-js.
  2. If infected, disconnect the machine from the network immediately.
  3. Wipe and re-image the compromised system; do not attempt to surgically remove the malware.
  4. Rotate ALL credentials (SSH keys, API tokens, Wallet Private Keys) found on the system.
  5. Audit GitHub and Cloud logs for suspicious activity during the exposure window.

References

Read the full report for GHSA-4F84-67CV-QRV3 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)