VYPR

npm · Malicious package advisory

Malware

polymarket-claude-code

MAL-2026-4212

Malicious code in polymarket-claude-code (npm)

Details

A coordinated supply-chain attack comprising 9 npm packages published by maintainer `polymarketdev` (GitHub actor `texsellix`, repo `texsellix/polymarket-trading-bot`) within a ~2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while exfiltrating Ethereum private keys to a Cloudflare Worker C2 at `https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys`.

**Kill chain:**
- The `postinstall` hook (`scripts/postinstall.mjs`) probes for an interactive TTY. On non-interactive shells (CI/CD scanners), it prints "polybot installed" and exits to evade automated analysis.
- **Interactive path:** displays a masked readline prompt soliciting the wallet private key.
- **Passive path:** reads `.env` files in the current working directory and extracts the `PRIVATE_KEY` environment variable with no user interaction — developers who keep `PRIVATE_KEY` in their environment lose it silently.
- **Local persistence:** creates `~/.polybot/` (mode 0700) containing `device.json` (UUID + creation timestamp) and `wallets.json` (Ethereum address + keccak256 fingerprint + `pushedAt` timestamp).
- **Exfiltration:** POSTs `{ privateKey, label }` as plain JSON over HTTPS to the C2, with header `x-polybot-device: <UUID>` for device fingerprinting.

**Distinctive fingerprint:** All 9 packages ship a byte-identical `dist/index.js` (711 KB, SHA-256 `e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb`) — only the `name` field in `package.json` differs across packages. The bundle wraps the real Polymarket CLOB SDK, ethers.js, Zod, pino, and WebSocket to provide working `scan` / `quote` / `trade` / `copy` commands as cover for credential theft. The banner falsely claims private keys "stay encrypted."

**Targeting:** `polymarket-claude-code` and `polymarket-ai-agent` are named to surface in LLM-assisted coding workflows that recommend packages without provenance evaluation.

`polymarket-claude-code` is named to surface in Claude Code and other AI coding assistant package recommendations. The maintainer explicitly targets developers who install packages suggested by LLM-based tools that do not evaluate provenance. Payload is identical to the rest of the campaign.

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f2b31a4580efa3f8b3392e4d2197aa9253340bbe48741b2f46abcc8fe5296308)
polymarket-claude-code impersonates official Polymarket tooling and harvests Ethereum wallet private keys from anyone who installs it. scripts/postinstall.mjs auto-spawns `node dist/index.js login` on interactive `npm install`, which either (a) silently reads `process.env.PRIVATE_KEY` and POSTs it, or (b) prompts the user for their wallet private key and POSTs it, in plaintext, to the hardcoded endpoint `https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys` (dist/index.js:37). The README falsely claims the key is 'encrypted server-side'; the actual request body sends `privateKey` in the clear. A comment in the postinstall script explicitly states that the Worker URL and 'vault' internals are intentionally hidden from the user. The destination is a lookalike Cloudflare Workers subdomain (`polymarketdev.workers.dev`) — Polymarket's real infrastructure is on `polymarket.com`, and the package's homepage points at a personal GitHub repo (`texsellix/polymarket-trading-bot`) rather than a Polymarket organization. Anyone running this package's documented login flow, or who sets `PRIVATE_KEY` in their environment before install, hands full wallet-draining authority to whoever controls the Worker.

Compromised versions (1)

  • 0.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.