MAL-2026-4213
Vulnerability from ossf_malicious_packages
A coordinated supply-chain attack comprising 9 npm packages published by maintainer polymarketdev (GitHub actor texsellix, repo texsellix/polymarket-trading-bot) within a ~2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while exfiltrating Ethereum private keys to a Cloudflare Worker C2 at https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys.
Kill chain:
- The postinstall hook (scripts/postinstall.mjs) probes for an interactive TTY. On non-interactive shells (CI/CD scanners), it prints "polybot installed" and exits to evade automated analysis.
- Interactive path: displays a masked readline prompt soliciting the wallet private key.
- Passive path: reads .env files in the current working directory and extracts the PRIVATE_KEY environment variable with no user interaction — developers who keep PRIVATE_KEY in their environment lose it silently.
- Local persistence: creates ~/.polybot/ (mode 0700) containing device.json (UUID + creation timestamp) and wallets.json (Ethereum address + keccak256 fingerprint + pushedAt timestamp).
- Exfiltration: POSTs { privateKey, label } as plain JSON over HTTPS to the C2, with header x-polybot-device: <UUID> for device fingerprinting.
Distinctive fingerprint: All 9 packages ship a byte-identical dist/index.js (711 KB, SHA-256 e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb) — only the name field in package.json differs across packages. The bundle wraps the real Polymarket CLOB SDK, ethers.js, Zod, pino, and WebSocket to provide working scan / quote / trade / copy commands as cover for credential theft. The banner falsely claims private keys "stay encrypted."
Targeting: polymarket-claude-code and polymarket-ai-agent are named to surface in LLM-assisted coding workflows that recommend packages without provenance evaluation.
polymarket-copy-trading targets developers seeking copy-trading workflows. Payload is identical to the rest of the campaign.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (1082ab41486ab2c4cd05cac1fc789e03e999d67f633f08f6c503121aeabe4efe)
On npm install in a TTY, scripts/postinstall.mjs auto-spawns dist/index.js login, which prompts the installer to paste an Ethereum/Polymarket wallet private key (validated as 0x-prefixed 32-byte hex) and then POSTs the plaintext key to https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys. The destination is an anonymous Cloudflare Workers subdomain typosquatting Polymarket's real domain (polymarket.com) — not Polymarket infrastructure. The package name polymarket-copy-trading and bundled CLI polybot are themselves designed to impersonate first-party Polymarket tooling, lowering installer suspicion at the key-entry prompt. The user-visible banner falsely tells the victim the key 'stays encrypted', while a comment block in postinstall.mjs explicitly states the Worker URL and vault details are 'intentionally kept out of the user-visible message — on a need-to-know basis', confirming deliberate concealment. Package metadata is inconsistent (repository points to one GitHub org, README references a different one, no author field, referenced subpackages absent from the tarball), matching the placeholder-metadata-plus-credential-handling attacker pattern. Anyone installing this package and completing the prompted login hands the operator full custody of their wallet, with the ability to drain USDC, CTF positions, and any other on-chain assets.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "scripts/postinstall.mjs",
"sha256": "2444dd0f978952e4be207c14f7dc990494a843522c08fcc1b7faa138d318d6e0",
"tlsh": "42915032d6440f613ce1c2ece61a15593717b13731429a763c4fb3acafce15942b2aba"
}
],
"package_integrity": [
{
"filename": "polymarket-copy-trading-0.1.0.tgz",
"hashes": {
"sha1": "e00eafb8b65796eaf953a20e61c637d3e549d967",
"sha512_sri": "sha512-JTLI6ugTy99aijiP6ZSq4qhVfJ36ShPuM7IBh0DTPFdcl2rZDJlLbCL9nR8BUro8r0JTU1K6W1zO3Iw4rECdjA=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "polymarket-copy-trading"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"versions": [
"0.1.0"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
},
{
"contact": [
"https://safedep.io"
],
"name": "SafeDep",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-003700",
"import_time": "2026-05-26T05:51:08.284452188Z",
"modified_time": "2026-05-21T01:47:37Z",
"sha256": "1082ab41486ab2c4cd05cac1fc789e03e999d67f633f08f6c503121aeabe4efe",
"source": "amazon-inspector",
"versions": [
"0.1.0"
]
}
]
},
"details": "A coordinated supply-chain attack comprising 9 npm packages published by maintainer `polymarketdev` (GitHub actor `texsellix`, repo `texsellix/polymarket-trading-bot`) within a ~2-minute window on 2026-05-20T23:30Z\u201323:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while exfiltrating Ethereum private keys to a Cloudflare Worker C2 at `https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys`.\n\n**Kill chain:**\n- The `postinstall` hook (`scripts/postinstall.mjs`) probes for an interactive TTY. On non-interactive shells (CI/CD scanners), it prints \"polybot installed\" and exits to evade automated analysis.\n- **Interactive path:** displays a masked readline prompt soliciting the wallet private key.\n- **Passive path:** reads `.env` files in the current working directory and extracts the `PRIVATE_KEY` environment variable with no user interaction \u2014 developers who keep `PRIVATE_KEY` in their environment lose it silently.\n- **Local persistence:** creates `~/.polybot/` (mode 0700) containing `device.json` (UUID + creation timestamp) and `wallets.json` (Ethereum address + keccak256 fingerprint + `pushedAt` timestamp).\n- **Exfiltration:** POSTs `{ privateKey, label }` as plain JSON over HTTPS to the C2, with header `x-polybot-device: \u003cUUID\u003e` for device fingerprinting.\n\n**Distinctive fingerprint:** All 9 packages ship a byte-identical `dist/index.js` (711 KB, SHA-256 `e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb`) \u2014 only the `name` field in `package.json` differs across packages. The bundle wraps the real Polymarket CLOB SDK, ethers.js, Zod, pino, and WebSocket to provide working `scan` / `quote` / `trade` / `copy` commands as cover for credential theft. The banner falsely claims private keys \"stay encrypted.\"\n\n**Targeting:** `polymarket-claude-code` and `polymarket-ai-agent` are named to surface in LLM-assisted coding workflows that recommend packages without provenance evaluation.\n\n`polymarket-copy-trading` targets developers seeking copy-trading workflows. Payload is identical to the rest of the campaign.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1082ab41486ab2c4cd05cac1fc789e03e999d67f633f08f6c503121aeabe4efe)\nOn `npm install` in a TTY, scripts/postinstall.mjs auto-spawns `dist/index.js login`, which prompts the installer to paste an Ethereum/Polymarket wallet private key (validated as 0x-prefixed 32-byte hex) and then POSTs the plaintext key to https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys. The destination is an anonymous Cloudflare Workers subdomain typosquatting Polymarket\u0027s real domain (polymarket.com) \u2014 not Polymarket infrastructure. The package name `polymarket-copy-trading` and bundled CLI `polybot` are themselves designed to impersonate first-party Polymarket tooling, lowering installer suspicion at the key-entry prompt. The user-visible banner falsely tells the victim the key \u0027stays encrypted\u0027, while a comment block in postinstall.mjs explicitly states the Worker URL and vault details are \u0027intentionally kept out of the user-visible message \u2014 on a need-to-know basis\u0027, confirming deliberate concealment. Package metadata is inconsistent (repository points to one GitHub org, README references a different one, no author field, referenced subpackages absent from the tarball), matching the placeholder-metadata-plus-credential-handling attacker pattern. Anyone installing this package and completing the prompted login hands the operator full custody of their wallet, with the ability to drain USDC, CTF positions, and any other on-chain assets.\n",
"id": "MAL-2026-4213",
"modified": "2026-05-26T05:55:04Z",
"published": "2026-05-21T00:00:00Z",
"references": [
{
"type": "REPORT",
"url": "https://safedep.io/malicious-polymarket-npm-crypto-wallet-drainer/"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/polymarket-copy-trading/v/0.1.0"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in polymarket-copy-trading (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.