PYSEC-2026-1
Vulnerability from pysec - Published: - Updated: 2026-01-28 21:09A PyPI user account compromised by an attacker and was able to
upload a malicious version (1.1.5.post1) of the dydx-v4-client package.
This version contains a highly obfuscated multi-stage loader
that ultimately executes malicious code on the host system.
While the final payload is not visible because it is tucked away inside 100 layers of encoding,
the structural design—specifically the use of recursive decompression followed by an exec() call
is a definitive indicator of malicious software,
likely a "Crypter" or "Dropper" masquerading as a cryptocurrency-related utility.
with the intent on connecting to hxxps://dydx.priceoracle.site/py
to download and execute further payloads.
Users of the dydx-v4-client package should immediately uninstall version 1.1.5.post1
and revert to the last known good version (1.1.5) or later secure versions once available.
Additionally, users should monitor their systems for any unusual activity
and consider running security scans to detect any potential compromise.
| Name | purl | dydx-v4-client | pkg:pypi/dydx-v4-client |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "dydx-v4-client",
"purl": "pkg:pypi/dydx-v4-client"
},
"versions": [
"1.1.5.post1"
]
}
],
"credits": [
{
"name": "Mike Fiedler",
"type": "COORDINATOR"
}
],
"details": "A PyPI user account compromised by an attacker and was able to\nupload a malicious version (1.1.5.post1) of the `dydx-v4-client` package.\nThis version contains a highly obfuscated multi-stage loader\nthat ultimately executes malicious code on the host system.\n\nWhile the final payload is not visible because it is tucked away inside 100 layers of encoding, \nthe structural design\u2014specifically the use of recursive decompression followed by an `exec()` call\nis a definitive indicator of malicious software,\nlikely a \"Crypter\" or \"Dropper\" masquerading as a cryptocurrency-related utility.\nwith the intent on connecting to hxxps://dydx.priceoracle.site/py\nto download and execute further payloads.\n\nUsers of the `dydx-v4-client` package should immediately uninstall version 1.1.5.post1\nand revert to the last known good version (1.1.5) or later secure versions once available.\nAdditionally, users should monitor their systems for any unusual activity\nand consider running security scans to detect any potential compromise.\n",
"id": "PYSEC-2026-1",
"modified": "2026-01-28T21:09:02+00:00",
"references": [
{
"type": "EVIDENCE",
"url": "https://inspector.pypi.io/project/dydx-v4-client/1.1.5.post1/packages/4b/06/4d848676e932b0fc9d707bb78603dc76555141cc832819cd1e5077bdf2a2/dydx_v4_client-1.1.5.post1.tar.gz/dydx_v4_client-1.1.5.post1/dydx_v4_client/_bootstrap.py#line.18"
}
],
"summary": "A single post-release of dydx-v4-client contained obfuscated multi-stage loader"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.