VYPR

npm · Malicious package advisory

Malware

polymarket-copy-trading

MAL-2026-4213

Malicious code in polymarket-copy-trading (npm)

Details

A coordinated supply-chain attack comprising 9 npm packages published by maintainer `polymarketdev` (GitHub actor `texsellix`, repo `texsellix/polymarket-trading-bot`) within a ~2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while exfiltrating Ethereum private keys to a Cloudflare Worker C2 at `https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys`.

**Kill chain:**
- The `postinstall` hook (`scripts/postinstall.mjs`) probes for an interactive TTY. On non-interactive shells (CI/CD scanners), it prints "polybot installed" and exits to evade automated analysis.
- **Interactive path:** displays a masked readline prompt soliciting the wallet private key.
- **Passive path:** reads `.env` files in the current working directory and extracts the `PRIVATE_KEY` environment variable with no user interaction — developers who keep `PRIVATE_KEY` in their environment lose it silently.
- **Local persistence:** creates `~/.polybot/` (mode 0700) containing `device.json` (UUID + creation timestamp) and `wallets.json` (Ethereum address + keccak256 fingerprint + `pushedAt` timestamp).
- **Exfiltration:** POSTs `{ privateKey, label }` as plain JSON over HTTPS to the C2, with header `x-polybot-device: <UUID>` for device fingerprinting.

**Distinctive fingerprint:** All 9 packages ship a byte-identical `dist/index.js` (711 KB, SHA-256 `e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb`) — only the `name` field in `package.json` differs across packages. The bundle wraps the real Polymarket CLOB SDK, ethers.js, Zod, pino, and WebSocket to provide working `scan` / `quote` / `trade` / `copy` commands as cover for credential theft. The banner falsely claims private keys "stay encrypted."

**Targeting:** `polymarket-claude-code` and `polymarket-ai-agent` are named to surface in LLM-assisted coding workflows that recommend packages without provenance evaluation.

`polymarket-copy-trading` targets developers seeking copy-trading workflows. Payload is identical to the rest of the campaign.

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1082ab41486ab2c4cd05cac1fc789e03e999d67f633f08f6c503121aeabe4efe)
On `npm install` in a TTY, scripts/postinstall.mjs auto-spawns `dist/index.js login`, which prompts the installer to paste an Ethereum/Polymarket wallet private key (validated as 0x-prefixed 32-byte hex) and then POSTs the plaintext key to https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys. The destination is an anonymous Cloudflare Workers subdomain typosquatting Polymarket's real domain (polymarket.com) — not Polymarket infrastructure. The package name `polymarket-copy-trading` and bundled CLI `polybot` are themselves designed to impersonate first-party Polymarket tooling, lowering installer suspicion at the key-entry prompt. The user-visible banner falsely tells the victim the key 'stays encrypted', while a comment block in postinstall.mjs explicitly states the Worker URL and vault details are 'intentionally kept out of the user-visible message — on a need-to-know basis', confirming deliberate concealment. Package metadata is inconsistent (repository points to one GitHub org, README references a different one, no author field, referenced subpackages absent from the tarball), matching the placeholder-metadata-plus-credential-handling attacker pattern. Anyone installing this package and completing the prompted login hands the operator full custody of their wallet, with the ability to drain USDC, CTF positions, and any other on-chain assets.

Compromised versions (1)

  • 0.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.