Resolved -
This incident has been resolved.
Jan 30, 21:33 UTC
Investigating -
Malicious versions of dydx-v4-clients were recently uploaded to PyPI (version 1.1.5.post1) and NPM (versions 3.4.1, 1.22.1, 1.15.2, 1.0.31). If you are using any of these versions your funds are at risk.
This is a full remote code execution (RCE). Assume the machine is totally compromised, including any keys, credentials, or secrets stored on it. The payload's full capabilities are unknown. - Immediately isolate the affected machine - Do NOT continue using it for trading or wallet ops - Move funds to new wallets from a clean machine - Rotate all API keys/credentials accessible from that machine - Engage your security team for forensics
The versions of dydx-v4-clients hosted in the dydxprotocol Github do not contain the malware.
