cd /news/ai-agents/polymarket-npm-packages-steal-crypto… · home topics ai-agents article
[ARTICLE · art-15065] src=safedep.io ↗ pub= topic=ai-agents verified=true sentiment=↓ negative

Polymarket npm Packages Steal Crypto Wallet Keys

Nine malicious npm packages impersonating Polymarket trading tools were published on May 20, 2026, by the account "polymarketdev," stealing cryptocurrency wallet private keys upon installation. The packages execute a postinstall script that prompts users to paste their private key under the false claim that "it stays encrypted," then sends the raw key in plaintext to an attacker-controlled Cloudflare Worker endpoint. The campaign targets developers and traders, with one package specifically designed to exploit users of AI coding assistants, and the malware also harvests private keys from environment variables and creates persistent tracking files on infected systems.

read7 min views10 publishedMay 21, 2026

Table of Contents

TL;DR #

Nine npm packages published within a 30 second window by the same throwaway account (polymarketdev

) impersonate Polymarket trading CLI tools. On install, a postinstall

script displays a fake wallet onboarding prompt that asks the user to paste their private key, claiming “it stays encrypted.” The script POSTs the raw key in plaintext to a Cloudflare Worker at hxxps://polymarketbot[.]polymarketdev[.]workers[.]dev/v1/wallets/keys

. No encryption happens at any point. One package, polymarket-claude-code

, targets developers using AI coding assistants for trading workflows.

Impact:

  • Exfiltrates raw Ethereum/Polygon private keys to attacker-controlled infrastructure
  • Social engineers victims into pasting private keys with a false “stays encrypted” claim
  • Creates a persistent ~/.polybot/

directory with a device fingerprint, enabling victim tracking across sessions - Reads .env

files from the current working directory, harvests anyPRIVATE_KEY

environment variable without user interaction - Evades detection in CI/CD: the prompt only triggers in interactive TTY sessions

Indicators of Compromise (IoC):

Type Value
npm packages polymarket-trading-cli , polymarket-terminal , polymarket-trade , polymarket-auto-trade , polymarket-copy-trading , polymarket-bot , polymarket-claude-code , polymarket-ai-agent , polymarket-trader (all versions)
npm publisher polymarketdev (
C2 endpoint hxxps://polymarketbot[.]polymarketdev[.]workers[.]dev
Exfiltration path /v1/wallets/keys (POST)
GitHub actor texsellix (github[.]com/texsellix )
GitHub repo texsellix/polymarket-trading-bot
Payload SHA-256 (dist/index.js) e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb
Local artifact ~/.polybot/device.json , ~/.polybot/wallets.json

Analysis #

Package Overview

All nine packages were published on May 20, 2026, between 23:30 and 23:32 UTC by the npm account polymarketdev

, registered to

(a Proton Mail address). Each package had two versions (0.1.0 and 0.1.1) published within two minutes. The only difference between packages is the [email protected]name

field in package.json

. All nine ship the same dist/index.js

payload (SHA-256: e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb

).

The package.json

metadata across all nine packages points to a single GitHub repository, texsellix/polymarket-trading-bot

, which has 69 stars and 22 forks. The repository README describes an elaborate monorepo architecture (“four packages: CLI, SDK, Core, Engine”) and makes explicit security claims: “Wallet keys are encrypted before they leave your machine” and “Plaintext keys live in memory only at sign time.” Both claims are false, as the source code confirms below.

The package names cover multiple search vectors a Polymarket trader might try: generic (polymarket-trade

, polymarket-bot

), workflow-specific (`polymarket-copy-trading`

, `polymarket-auto-trade`

), and AI-tooling-specific (`polymarket-claude-code`

, `polymarket-ai-agent`

). `polymarket-claude-code`

targets developers using AI coding assistants for trading, a growing pattern in crypto circles.

Execution Trigger

The attack chain starts with a postinstall

hook in package.json

:

The postinstall.mjs

script checks for an interactive TTY before displaying any output. In CI/CD pipelines or non-interactive shells, it prints a one-liner (“polybot installed”) and exits, avoiding detection by automated security tooling:

When a TTY is present, the script renders a colorful banner with ANSI escape codes and a direct call to action:

“it stays encrypted” is false. The script spawns the bundled dist/index.js

with the login

subcommand, which handles key collection and exfiltration.

Private Key Collection

The login

command (e2() in the bundled code) collects the private key through one of two paths:

Path 1: Interactive prompt. A masked readline prompt displays asterisks as the user types, mimicking a password field. The raw key is retained in memory:

Path 2: Environment variable. The code also reads PRIVATE_KEY

from the environment or from a .env file in the current directory:

The .env

runs before any prompt:

Any project with a .env

file containing PRIVATE_KEY=0x...

(common in Polymarket bot development) loses that key without the user seeing any prompt.

Data Exfiltration

The code sends the collected key to the attacker’s Cloudflare Worker in plaintext JSON:

push

sends { privateKey: "0x...", label: "..." } as a plain JSON body. The raw hex private key travels over HTTPS to the Worker, but no client-side encryption happens. The “encrypted in transit” claim from the README refers to TLS alone, which protects the key from network observers but not from the Worker operator (the attacker).

The x-polybot-device header contains a UUID generated on first run and persisted to ~/.polybot/device.json

, letting the attacker correlate multiple keys from the same victim.

Local Persistence

The package creates a ~/.polybot/

directory with two files:

device.json

: contains adeviceId

(UUID) andcreatedAt timestamp, written with mode0600

wallets.json

: stores the Ethereum address, a keccak256 fingerprint of the key, an optional label, and apushedAt

timestamp

The fingerprint function uses keccak256 truncated to 8 bytes (not reversible to the key), but the raw key has already left the machine at this point. The local files serve as tracking artifacts.

The Credibility Apparatus

The attacker built a credibility layer around the theft:

GitHub repository(texsellix/polymarket-trading-bot ) with 69 stars and 22 forks (likely purchased or botted)Detailed README describing a monorepo with four packages, proxy wallet support, and multiple trading strategiesSECURITY.md and CONTRIBUTING.md files in the repo, mimicking mature open source projectsPaper trading default(“Every trading command runs in paper mode by default. Add--live

to commit real USDC.”) that suggests careful, user-friendly designMasking input as asterisks during the prompt, mimicking legitimate password entry patternsProfessional error messages(“couldn’t reach polybot. check your connection and try again.”) that disguise exfiltration failures as network errors

The bundled dist/index.js

(711 KB) includes legitimate dependencies: the full Polymarket CLOB client SDK, ethers.js, Zod validation, pino logger, and WebSocket handling. The attacker wrapped real trading functionality around the theft. Commands like scan

, quote

, trade

, and copy

make real Polymarket API calls. Someone who installs the package and uses it for trading may never suspect the “login” step was the entire attack.

Conclusion #

The attacker built a functional trading CLI around a credential theft operation. Social engineering carries the attack: the postinstall

prompt looks like standard wallet onboarding, the masking mimics secure input, and the GitHub repo provides false credibility. The .env

harvesting path is the more dangerous vector. Developers who store PRIVATE_KEY

in their environment (standard practice for Polymarket bot development) lose their keys without seeing any prompt.

Two of the package names (`polymarket-claude-code`

, `polymarket-ai-agent`

) target developers who install packages suggested by LLM-based tools, which may not evaluate package provenance.

If you installed any of these packages, rotate any wallet keys that were entered or present in your environment. Check for ~/.polybot/ and remove it. Scan your project dependencies with vet to catch packages from single-version, single-maintainer accounts with no prior publish history. For runtime protection against malicious postinstall scripts,

can intercept and block unauthorized network calls and filesystem access during package installation.

pmg

References #

  • vet

  • malware

  • npm

  • supply-chain

  • crypto

  • wallet-drainer

Author

SafeDep Team

safedep.io

Share

The Latest from SafeDep blogs #

Follow for the latest updates and insights on open source security & engineering

141 npm Packages Abuse Registry as Adware Hosting npm account terminal3airport published 141 packages containing a web proxy unblocker disguised as tutoring websites. The packages load popunder ads, external monetization scripts, and Google...

Megalodon: Mass GitHub Repo Backdooring via CI Workflows Over 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The "megalodon" campaign targeted...

forge-jsxy: 22 Versions of an Actively Developed npm RAT forge-jsxy picked up where the taken-down forge-jsx left off, publishing 22 versions over 22 days. Each release added new capabilities: crypto wallet scanning, Chromium extension theft, WebRTC data...

art-template npm Hijack Delivers iOS Browser Exploit Kit art-template versions 4.13.3 through 4.13.6 were compromised via maintainer account takeover. The browser bundle injects scripts that deliver a full iOS exploit kit: WebAssembly type confusion, JIT...

Ship Code. #

Not Malware. #

Start free with open source tools on your machine. Scale to a unified platform for your organization.

── more in #ai-agents 4 stories · sorted by recency
── more on @polymarket 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/polymarket-npm-packa…] indexed:0 read:7min 2026-05-21 ·