GHSA-4f84-67cv-qrv3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4f84-67cv-qrv3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4f84-67cv-qrv3/GHSA-4f84-67cv-qrv3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4f84-67cv-qrv3
- Published
- 2026-02-06T19:37:26Z
- Modified
- 2026-02-06T20:24:41.926523Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- A single post-release of dydx-v4-client contained obfuscated multi-stage loader
- Details
-
A PyPI user account compromised by an attacker and was able to upload a malicious version (1.1.5.post1) of the
dydx-v4-clientpackage. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system.While the final payload is not visible because it is tucked away inside 100 layers of encoding, the structural design—specifically the use of recursive decompression followed by an
exec()call is a definitive indicator of malicious software, likely a "Crypter" or "Dropper" masquerading as a cryptocurrency-related utility with the intent on connecting to hxxps://dydx[.]priceoracle[.]site/py to download and execute further payloads.Users of the
dydx-v4-clientpackage should immediately uninstall version 1.1.5.post1and revert to the last known good version (1.1.5) or later secure versions once available. Additionally, users should monitor their systems for any unusual activity and consider running security scans to detect any potential compromise. - Database specific
{ "nvd_published_at": null, "severity": "CRITICAL", "cwe_ids": [ "CWE-506" ], "github_reviewed": true, "github_reviewed_at": "2026-02-06T19:37:26Z" }- References
-
- https://github.com/lenktn/lenktn-dydx-v4-python
- https://github.com/pypa/advisory-database/tree/main/vulns/dydx-v4-client/PYSEC-2026-1.yaml
- https://inspector.pypi.io/project/dydx-v4-client/1.1.5.post1/packages/4b/06/4d848676e932b0fc9d707bb78603dc76555141cc832819cd1e5077bdf2a2/dydx_v4_client-1.1.5.post1.tar.gz/dydx_v4_client-1.1.5.post1/dydx_v4_client/_bootstrap.py#line.18
Affected packages
PyPI / dydx-v4-client
Package
- Name
- dydx-v4-client
- View open source insights on deps.dev
- Purl
- pkg:pypi/dydx-v4-client