PYSEC-2026-1

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/dydx-v4-client/PYSEC-2026-1.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-1

Published

2026-02-06T14:53:23.620543Z

Modified

2026-02-06T14:53:23.620543Z

Summary

A single post-release of dydx-v4-client contained obfuscated multi-stage loader

Details

A PyPI user account compromised by an attacker and was able to upload a malicious version (1.1.5.post1) of the dydx-v4-client package. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system.

While the final payload is not visible because it is tucked away inside 100 layers of encoding, the structural design—specifically the use of recursive decompression followed by an exec() call is a definitive indicator of malicious software, likely a "Crypter" or "Dropper" masquerading as a cryptocurrency-related utility. with the intent on connecting to hxxps://dydx.priceoracle.site/py to download and execute further payloads.

Users of the dydx-v4-client package should immediately uninstall version 1.1.5.post1 and revert to the last known good version (1.1.5) or later secure versions once available. Additionally, users should monitor their systems for any unusual activity and consider running security scans to detect any potential compromise.

References

https://inspector.pypi.io/project/dydx-v4-client/1.1.5.post1/packages/4b/06/4d848676e932b0fc9d707bb78603dc76555141cc832819cd1e5077bdf2a2/dydx_v4_client-1.1.5.post1.tar.gz/dydx_v4_client-1.1.5.post1/dydx_v4_client/_bootstrap.py#line.18

Credits

- Mike Fiedler - COORDINATOR

Affected packages

PyPI / dydx-v4-client

Package

Name: dydx-v4-client; View open source insights on deps.dev
Purl: pkg:pypi/dydx-v4-client

Affected ranges

Affected versions

1.*

1.1.5.post1

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/dydx-v4-client/PYSEC-2026-1.yaml"