DAILY NEWS

Researchers reported a coordinated **software supply-chain compromise** affecting dYdX client packages on both npm and PyPI. **Reported impact** - npm package versions allegedly included wallet-stealing behavior. - PyPI package allegedly included a wallet stealer plus a **remote access trojan (RAT)** that fetches and executes commands. **Why it matters** Package registries remain one of the highest-leverage attack surfaces: one compromised account can ripple across many downstream apps. **What teams should do** - Check lockfiles/SBOMs for affected versions. - Isolate suspicious dev/build machines. - Rotate credentials and wallets/keys from a clean environment. **Tags:** Cyber Security, Supply Chain, JavaScript, Python