Many npm packages published by a major cryptocurrency exchange have been hacked and updated to contain malicious code
The decentralized cryptocurrency exchange (DEX) dydX has tweeted his compromise discovery and how it works to fix the problem.
“At 6:14 am EST we identified malicious versions published in many dYdX NPM packages that were quickly removed” tweet (opens in a new tab) to read. “All funds are SECURE, our websites / applications have NOT been compromised, smart contracts have NOT been affected by the attack.”
Lots of bundles distributing infostealers
Explaining further how user funds are not at risk, the company said: “Remind you that dYdX has no custody of user funds that are deposited directly into the blockchain smart contract.”
Cyber security researcher Maciej Mensfeld of security firm Mend i Difend.io discovered that some packages contain code that, when launched, would run information that steals malware. He found three packages that had been seized to be used for identity theft (opens in a new tab) attacks.
- @ dydxprotocol / solo – versions 0.41.1, 0.41.2
@ dydxprotocol / perpetual – versions 1.2.2, 1.2.3
Apparently, the “@ dydxprotocol / node-service-base-dev” package has also been compromised, but this one has already been downloaded from the platform.
The packages are described as “Ethereum Smart Contracts and TypeScript library used in the dYdX Solo Trading Protocol.” The solo package, as stated in the publication, is used by at least 44 GitHub repositories, built by “multiple crypto platforms”.
Apparently, this is not the first time cybercriminals have tried to sneak this identical malicious code into different packages. In fact, BleepingComputer claims to have seen code “strikingly identical” to that in the malicious Python “PyGrat” packages that have stolen Amazon Web Services (AWS) credentials, environment variables, and SSH keys.
Code repositories are often targeted by malicious actors who sometimes create malicious versions of popular repositories and give them similar names in the hope that overworked / reckless programmers will unknowingly pick the wrong one.
By: Hissing computer (opens in a new tab)