{"slug": "polymarket-npm-packages-steal-crypto-wallet-keys", "title": "Polymarket npm Packages Steal Crypto Wallet Keys", "summary": "Nine malicious npm packages impersonating Polymarket trading tools were published on May 20, 2026, by the account \"polymarketdev,\" stealing cryptocurrency wallet private keys upon installation. The packages execute a postinstall script that prompts users to paste their private key under the false claim that \"it stays encrypted,\" then sends the raw key in plaintext to an attacker-controlled Cloudflare Worker endpoint. The campaign targets developers and traders, with one package specifically designed to exploit users of AI coding assistants, and the malware also harvests private keys from environment variables and creates persistent tracking files on infected systems.", "body_md": "# Polymarket npm Packages Steal Crypto Wallet Keys\n\n### Table of Contents\n\n## TL;DR\n\nNine npm packages published within a 30 second window by the same throwaway account (`polymarketdev`\n\n) impersonate Polymarket trading CLI tools. On install, a `postinstall`\n\nscript displays a fake wallet onboarding prompt that asks the user to paste their private key, claiming “it stays encrypted.” The script POSTs the raw key in plaintext to a Cloudflare Worker at `hxxps://polymarketbot[.]polymarketdev[.]workers[.]dev/v1/wallets/keys`\n\n. No encryption happens at any point. One package, `polymarket-claude-code`\n\n, targets developers using AI coding assistants for trading workflows.\n\n**Impact:**\n\n- Exfiltrates raw Ethereum/Polygon private keys to attacker-controlled infrastructure\n- Social engineers victims into pasting private keys with a false “stays encrypted” claim\n- Creates a persistent\n`~/.polybot/`\n\ndirectory with a device fingerprint, enabling victim tracking across sessions - Reads\n`.env`\n\nfiles from the current working directory, harvests any`PRIVATE_KEY`\n\nenvironment variable without user interaction - Evades detection in CI/CD: the prompt only triggers in interactive TTY sessions\n\n**Indicators of Compromise (IoC):**\n\n| Type | Value |\n|---|---|\n| npm packages | `polymarket-trading-cli` , `polymarket-terminal` , `polymarket-trade` , `polymarket-auto-trade` , `polymarket-copy-trading` , `polymarket-bot` , `polymarket-claude-code` , `polymarket-ai-agent` , `polymarket-trader` (all versions) |\n| npm publisher | `polymarketdev` (\n|\n| C2 endpoint | `hxxps://polymarketbot[.]polymarketdev[.]workers[.]dev` |\n| Exfiltration path | `/v1/wallets/keys` (POST) |\n| GitHub actor | `texsellix` (`github[.]com/texsellix` ) |\n| GitHub repo | `texsellix/polymarket-trading-bot` |\n| Payload SHA-256 (dist/index.js) | `e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb` |\n| Local artifact | `~/.polybot/device.json` , `~/.polybot/wallets.json` |\n\n## Analysis\n\n### Package Overview\n\nAll nine packages were published on May 20, 2026, between 23:30 and 23:32 UTC by the npm account `polymarketdev`\n\n, registered to\n\n(a Proton Mail address). Each package had two versions (0.1.0 and 0.1.1) published within two minutes. The only difference between packages is the [[email protected]](/cdn-cgi/l/email-protection)`name`\n\nfield in `package.json`\n\n. All nine ship the same `dist/index.js`\n\npayload (SHA-256: `e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb`\n\n).\n\nThe `package.json`\n\nmetadata across all nine packages points to a single GitHub repository, `texsellix/polymarket-trading-bot`\n\n, which has 69 stars and 22 forks. The repository README describes an elaborate monorepo architecture (“four packages: CLI, SDK, Core, Engine”) and makes explicit security claims: “Wallet keys are encrypted before they leave your machine” and “Plaintext keys live in memory only at sign time.” Both claims are false, as the source code confirms below.\n\nThe package names cover multiple search vectors a Polymarket trader might try: generic (`polymarket-trade`\n\n, `polymarket-bot`\n\n), workflow-specific (`polymarket-copy-trading`\n\n, `polymarket-auto-trade`\n\n), and AI-tooling-specific (`polymarket-claude-code`\n\n, `polymarket-ai-agent`\n\n). `polymarket-claude-code`\n\ntargets developers using AI coding assistants for trading, a growing pattern in crypto circles.\n\n### Execution Trigger\n\nThe attack chain starts with a `postinstall`\n\nhook in `package.json`\n\n:\n\nThe `postinstall.mjs`\n\nscript checks for an interactive TTY before displaying any output. In CI/CD pipelines or non-interactive shells, it prints a one-liner (“polybot installed”) and exits, avoiding detection by automated security tooling:\n\nWhen a TTY is present, the script renders a colorful banner with ANSI escape codes and a direct call to action:\n\n“it stays encrypted” is false. The script spawns the bundled `dist/index.js`\n\nwith the `login`\n\nsubcommand, which handles key collection and exfiltration.\n\n### Private Key Collection\n\nThe `login`\n\ncommand (`e2()`\n\nin the bundled code) collects the private key through one of two paths:\n\n**Path 1: Interactive prompt.** A masked readline prompt displays asterisks as the user types, mimicking a password field. The raw key is retained in memory:\n\n**Path 2: Environment variable.** The code also reads `PRIVATE_KEY`\n\nfrom the environment or from a `.env`\n\nfile in the current directory:\n\nThe `.env`\n\nloader runs before any prompt:\n\nAny project with a `.env`\n\nfile containing `PRIVATE_KEY=0x...`\n\n(common in Polymarket bot development) loses that key without the user seeing any prompt.\n\n### Data Exfiltration\n\nThe code sends the collected key to the attacker’s Cloudflare Worker in plaintext JSON:\n\n`push`\n\nsends `{ privateKey: \"0x...\", label: \"...\" }`\n\nas a plain JSON body. The raw hex private key travels over HTTPS to the Worker, but no client-side encryption happens. The “encrypted in transit” claim from the README refers to TLS alone, which protects the key from network observers but not from the Worker operator (the attacker).\n\nThe `x-polybot-device`\n\nheader contains a UUID generated on first run and persisted to `~/.polybot/device.json`\n\n, letting the attacker correlate multiple keys from the same victim.\n\n### Local Persistence\n\nThe package creates a `~/.polybot/`\n\ndirectory with two files:\n\n`device.json`\n\n: contains a`deviceId`\n\n(UUID) and`createdAt`\n\ntimestamp, written with mode`0600`\n\n`wallets.json`\n\n: stores the Ethereum address, a keccak256 fingerprint of the key, an optional label, and a`pushedAt`\n\ntimestamp\n\nThe fingerprint function uses keccak256 truncated to 8 bytes (not reversible to the key), but the raw key has already left the machine at this point. The local files serve as tracking artifacts.\n\n### The Credibility Apparatus\n\nThe attacker built a credibility layer around the theft:\n\n**GitHub repository**(`texsellix/polymarket-trading-bot`\n\n) with 69 stars and 22 forks (likely purchased or botted)**Detailed README** describing a monorepo with four packages, proxy wallet support, and multiple trading strategies**SECURITY.md and CONTRIBUTING.md** files in the repo, mimicking mature open source projects**Paper trading default**(“Every trading command runs in paper mode by default. Add`--live`\n\nto commit real USDC.”) that suggests careful, user-friendly design**Masking input as asterisks** during the prompt, mimicking legitimate password entry patterns**Professional error messages**(“couldn’t reach polybot. check your connection and try again.”) that disguise exfiltration failures as network errors\n\nThe bundled `dist/index.js`\n\n(711 KB) includes legitimate dependencies: the full Polymarket CLOB client SDK, ethers.js, Zod validation, pino logger, and WebSocket handling. The attacker wrapped real trading functionality around the theft. Commands like `scan`\n\n, `quote`\n\n, `trade`\n\n, and `copy`\n\nmake real Polymarket API calls. Someone who installs the package and uses it for trading may never suspect the “login” step was the entire attack.\n\n## Conclusion\n\nThe attacker built a functional trading CLI around a credential theft operation. Social engineering carries the attack: the `postinstall`\n\nprompt looks like standard wallet onboarding, the masking mimics secure input, and the GitHub repo provides false credibility. The `.env`\n\nharvesting path is the more dangerous vector. Developers who store `PRIVATE_KEY`\n\nin their environment (standard practice for Polymarket bot development) lose their keys without seeing any prompt.\n\nTwo of the package names (`polymarket-claude-code`\n\n, `polymarket-ai-agent`\n\n) target developers who install packages suggested by LLM-based tools, which may not evaluate package provenance.\n\nIf you installed any of these packages, rotate any wallet keys that were entered or present in your environment. Check for `~/.polybot/`\n\nand remove it. Scan your project dependencies with [ vet](https://github.com/safedep/vet) to catch packages from single-version, single-maintainer accounts with no prior publish history. For runtime protection against malicious postinstall scripts,\n\n[can intercept and block unauthorized network calls and filesystem access during package installation.](https://github.com/safedep/pmg)\n\n`pmg`\n\n## References\n\n- vet\n- malware\n- npm\n- supply-chain\n- crypto\n- wallet-drainer\n\n### Author\n\n#### SafeDep Team\n\nsafedep.io\n\n### Share\n\n## The Latest from SafeDep blogs\n\nFollow for the latest updates and insights on open source security & engineering\n\n[141 npm Packages Abuse Registry as Adware Hosting](/malicious-npm-terminal3airport-proxy-adware-spam)\n\nnpm account terminal3airport published 141 packages containing a web proxy unblocker disguised as tutoring websites. The packages load popunder ads, external monetization scripts, and Google...\n\n[Megalodon: Mass GitHub Repo Backdooring via CI Workflows](/megalodon-mass-github-repo-backdooring-ci-workflows)\n\nOver 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The \"megalodon\" campaign targeted...\n\n[forge-jsxy: 22 Versions of an Actively Developed npm RAT](/malicious-forge-jsxy-npm-rat-evolution)\n\nforge-jsxy picked up where the taken-down forge-jsx left off, publishing 22 versions over 22 days. Each release added new capabilities: crypto wallet scanning, Chromium extension theft, WebRTC data...\n\n[art-template npm Hijack Delivers iOS Browser Exploit Kit](/art-template-npm-supply-chain-compromise)\n\nart-template versions 4.13.3 through 4.13.6 were compromised via maintainer account takeover. The browser bundle injects scripts that deliver a full iOS exploit kit: WebAssembly type confusion, JIT...\n\n## Ship Code.\n\n## Not Malware.\n\nStart free with open source tools on your machine. Scale to a unified platform for your organization.", "url": "https://wpnews.pro/news/polymarket-npm-packages-steal-crypto-wallet-keys", "canonical_source": "https://safedep.io/malicious-polymarket-npm-crypto-wallet-drainer", "published_at": "2026-05-21 03:21:00+00:00", "updated_at": "2026-05-27 08:40:01.939268+00:00", "lang": "en", "topics": ["ai-agents", "ai-tools", "ai-safety"], "entities": ["Polymarket", "Cloudflare", "npm", "Ethereum", "Polygon"], "alternates": {"html": "https://wpnews.pro/news/polymarket-npm-packages-steal-crypto-wallet-keys", "markdown": "https://wpnews.pro/news/polymarket-npm-packages-steal-crypto-wallet-keys.md", "text": "https://wpnews.pro/news/polymarket-npm-packages-steal-crypto-wallet-keys.txt", "jsonld": "https://wpnews.pro/news/polymarket-npm-packages-steal-crypto-wallet-keys.jsonld"}}