A single post-release of dydx-v4-client contained obfuscated multi-stage loader
A PyPI user account compromised by an attacker and was able to upload a malicious version (1.1.5.post1) of the dydx-v4-client package. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system. While the final payload is not visible because it is tucked away inside 100 layers of encoding, the structural design—specifically the use of recursive decompression followed by an exec() call is a …