Malicious packages for dYdX cryptocurrency exchange empties user wallets
Summary
Ars Technica reports that open-source packages published to npm and PyPI associated with dYdX were compromised, containing code that steals wallet credentials and, in some cases, backdoors devices. The attack demonstrates the risk of software supply chains for crypto platforms and the potential for widespread impact across developers and users if dependencies are tainted. It underscores the need for dependency auditing, SBOMs, and prompt remediation in development workflows.