Clarification on Recent Reports Regarding Malicious SDK Packages

MEXC

2025-04-16

The MEXC Security Team is aware of recent online reports concerning malicious software packages that impersonate cryptocurrency exchange SDKs on third-party platforms. We understand that some online discussions have linked this industry-wide issue to MEXC, and we want to provide a clear and transparent clarification to our valued users.

This is an industry-wide phishing-style supply chain attack

The malicious package is an example of a common tactic used by threat actors targeting the Web3 ecosystem. These attackers impersonate legitimate SDKs of well-known exchanges and publish these counterfeit packages on unofficial platforms such as PyPI and other code repositories. Their goal is to deceive developers into installing them and submitting API credentials, which are then abused to access or transfer assets without authorization. This method is similar in principle to phishing websites.

For a more comprehensive understanding of phishing tactics, we encourage you to read our dedicated article here: https://www.mexc.com/learn/article/17827791518952

The affected package was not developed or distributed by MEXC

We want to emphasize that the malicious software package in question — ccxt-mexc-futures — was not released by MEXC and has never appeared in our official repositories, documentation, or communications.

Our platform’s systems remain secure and fully operational. We have identified no internal vulnerabilities or compromises, and our advanced monitoring systems have detected no associated abnormal trading activity.

No user asset losses reported

The malicious package has since been removed from the third-party platform. At this time, MEXC has not received any reports from users regarding asset losses or unauthorized access resulting from this incident. We continue to monitor the situation closely and collaborate with relevant parties to ensure ongoing protection of our community.

Security reminders to developers and API users

We urge all developers and users integrating with MEXC or any other platform to adhere strictly to the following security best practices:

Always download SDKs and developer tools exclusively from MEXC’s official website or documentation: https://www.mexc.com/mexc-api

Exercise extreme caution with third-party packages, even those with similar-sounding names, unless their authenticity has been rigorously verified through official MEXC channels.

、

Treat your API keys as highly sensitive credentials. Implement strict permission limitations, utilize IP whitelisting where possible, and practice regular key rotation.

Avoid executing code from unverified sources. Always meticulously double-check URLs and the origins of downloaded software.

Important Reminder Regarding Impersonation Attempts

Separately, we have also observed instances of individuals attempting to impersonate MEXC staff through unofficial channels. If anyone claims to represent MEXC and contacts you through unofficial channels, please first verify their identity via our official verification portal: https://www.mexc.com/official-verify. Please remember that MEXC staff will never ask for your API credentials, account password, or other sensitive information.

Our Commitment to Your Security:

The safety of our users and the integrity of our platform are, and will always be, our top priorities. MEXC is continuously enhancing its internal security measures, expanding user education initiatives, and actively engaging with the broader security community to proactively address emerging threats like these.

Thank you for your continued trust in MEXC. We remain steadfast in our commitment to providing a secure and transparent trading environment.

MEXC Security Team

April 16, 2025