# Polymarket npm Packages Steal Crypto Wallet Keys > Source: > Published: 2026-05-21 03:21:00+00:00 # Polymarket npm Packages Steal Crypto Wallet Keys ### Table of Contents ## TL;DR Nine npm packages published within a 30 second window by the same throwaway account (`polymarketdev` ) impersonate Polymarket trading CLI tools. On install, a `postinstall` script displays a fake wallet onboarding prompt that asks the user to paste their private key, claiming “it stays encrypted.” The script POSTs the raw key in plaintext to a Cloudflare Worker at `hxxps://polymarketbot[.]polymarketdev[.]workers[.]dev/v1/wallets/keys` . No encryption happens at any point. One package, `polymarket-claude-code` , targets developers using AI coding assistants for trading workflows. **Impact:** - Exfiltrates raw Ethereum/Polygon private keys to attacker-controlled infrastructure - Social engineers victims into pasting private keys with a false “stays encrypted” claim - Creates a persistent `~/.polybot/` directory with a device fingerprint, enabling victim tracking across sessions - Reads `.env` files from the current working directory, harvests any`PRIVATE_KEY` environment variable without user interaction - Evades detection in CI/CD: the prompt only triggers in interactive TTY sessions **Indicators of Compromise (IoC):** | Type | Value | |---|---| | npm packages | `polymarket-trading-cli` , `polymarket-terminal` , `polymarket-trade` , `polymarket-auto-trade` , `polymarket-copy-trading` , `polymarket-bot` , `polymarket-claude-code` , `polymarket-ai-agent` , `polymarket-trader` (all versions) | | npm publisher | `polymarketdev` ( | | C2 endpoint | `hxxps://polymarketbot[.]polymarketdev[.]workers[.]dev` | | Exfiltration path | `/v1/wallets/keys` (POST) | | GitHub actor | `texsellix` (`github[.]com/texsellix` ) | | GitHub repo | `texsellix/polymarket-trading-bot` | | Payload SHA-256 (dist/index.js) | `e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb` | | Local artifact | `~/.polybot/device.json` , `~/.polybot/wallets.json` | ## Analysis ### Package Overview All nine packages were published on May 20, 2026, between 23:30 and 23:32 UTC by the npm account `polymarketdev` , registered to (a Proton Mail address). Each package had two versions (0.1.0 and 0.1.1) published within two minutes. The only difference between packages is the [[email protected]](/cdn-cgi/l/email-protection)`name` field in `package.json` . All nine ship the same `dist/index.js` payload (SHA-256: `e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb` ). The `package.json` metadata across all nine packages points to a single GitHub repository, `texsellix/polymarket-trading-bot` , which has 69 stars and 22 forks. The repository README describes an elaborate monorepo architecture (“four packages: CLI, SDK, Core, Engine”) and makes explicit security claims: “Wallet keys are encrypted before they leave your machine” and “Plaintext keys live in memory only at sign time.” Both claims are false, as the source code confirms below. The package names cover multiple search vectors a Polymarket trader might try: generic (`polymarket-trade` , `polymarket-bot` ), workflow-specific (`polymarket-copy-trading` , `polymarket-auto-trade` ), and AI-tooling-specific (`polymarket-claude-code` , `polymarket-ai-agent` ). `polymarket-claude-code` targets developers using AI coding assistants for trading, a growing pattern in crypto circles. ### Execution Trigger The attack chain starts with a `postinstall` hook in `package.json` : The `postinstall.mjs` script checks for an interactive TTY before displaying any output. In CI/CD pipelines or non-interactive shells, it prints a one-liner (“polybot installed”) and exits, avoiding detection by automated security tooling: When a TTY is present, the script renders a colorful banner with ANSI escape codes and a direct call to action: “it stays encrypted” is false. The script spawns the bundled `dist/index.js` with the `login` subcommand, which handles key collection and exfiltration. ### Private Key Collection The `login` command (`e2()` in the bundled code) collects the private key through one of two paths: **Path 1: Interactive prompt.** A masked readline prompt displays asterisks as the user types, mimicking a password field. The raw key is retained in memory: **Path 2: Environment variable.** The code also reads `PRIVATE_KEY` from the environment or from a `.env` file in the current directory: The `.env` loader runs before any prompt: Any project with a `.env` file containing `PRIVATE_KEY=0x...` (common in Polymarket bot development) loses that key without the user seeing any prompt. ### Data Exfiltration The code sends the collected key to the attacker’s Cloudflare Worker in plaintext JSON: `push` sends `{ privateKey: "0x...", label: "..." }` as a plain JSON body. The raw hex private key travels over HTTPS to the Worker, but no client-side encryption happens. The “encrypted in transit” claim from the README refers to TLS alone, which protects the key from network observers but not from the Worker operator (the attacker). The `x-polybot-device` header contains a UUID generated on first run and persisted to `~/.polybot/device.json` , letting the attacker correlate multiple keys from the same victim. ### Local Persistence The package creates a `~/.polybot/` directory with two files: `device.json` : contains a`deviceId` (UUID) and`createdAt` timestamp, written with mode`0600` `wallets.json` : stores the Ethereum address, a keccak256 fingerprint of the key, an optional label, and a`pushedAt` timestamp The fingerprint function uses keccak256 truncated to 8 bytes (not reversible to the key), but the raw key has already left the machine at this point. The local files serve as tracking artifacts. ### The Credibility Apparatus The attacker built a credibility layer around the theft: **GitHub repository**(`texsellix/polymarket-trading-bot` ) with 69 stars and 22 forks (likely purchased or botted)**Detailed README** describing a monorepo with four packages, proxy wallet support, and multiple trading strategies**SECURITY.md and CONTRIBUTING.md** files in the repo, mimicking mature open source projects**Paper trading default**(“Every trading command runs in paper mode by default. Add`--live` to commit real USDC.”) that suggests careful, user-friendly design**Masking input as asterisks** during the prompt, mimicking legitimate password entry patterns**Professional error messages**(“couldn’t reach polybot. check your connection and try again.”) that disguise exfiltration failures as network errors The bundled `dist/index.js` (711 KB) includes legitimate dependencies: the full Polymarket CLOB client SDK, ethers.js, Zod validation, pino logger, and WebSocket handling. The attacker wrapped real trading functionality around the theft. Commands like `scan` , `quote` , `trade` , and `copy` make real Polymarket API calls. Someone who installs the package and uses it for trading may never suspect the “login” step was the entire attack. ## Conclusion The attacker built a functional trading CLI around a credential theft operation. Social engineering carries the attack: the `postinstall` prompt looks like standard wallet onboarding, the masking mimics secure input, and the GitHub repo provides false credibility. The `.env` harvesting path is the more dangerous vector. Developers who store `PRIVATE_KEY` in their environment (standard practice for Polymarket bot development) lose their keys without seeing any prompt. Two of the package names (`polymarket-claude-code` , `polymarket-ai-agent` ) target developers who install packages suggested by LLM-based tools, which may not evaluate package provenance. If you installed any of these packages, rotate any wallet keys that were entered or present in your environment. Check for `~/.polybot/` and remove it. Scan your project dependencies with [ vet](https://github.com/safedep/vet) to catch packages from single-version, single-maintainer accounts with no prior publish history. For runtime protection against malicious postinstall scripts, [can intercept and block unauthorized network calls and filesystem access during package installation.](https://github.com/safedep/pmg) `pmg` ## References - vet - malware - npm - supply-chain - crypto - wallet-drainer ### Author #### SafeDep Team safedep.io ### Share ## The Latest from SafeDep blogs Follow for the latest updates and insights on open source security & engineering [141 npm Packages Abuse Registry as Adware Hosting](/malicious-npm-terminal3airport-proxy-adware-spam) npm account terminal3airport published 141 packages containing a web proxy unblocker disguised as tutoring websites. The packages load popunder ads, external monetization scripts, and Google... [Megalodon: Mass GitHub Repo Backdooring via CI Workflows](/megalodon-mass-github-repo-backdooring-ci-workflows) Over 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The "megalodon" campaign targeted... [forge-jsxy: 22 Versions of an Actively Developed npm RAT](/malicious-forge-jsxy-npm-rat-evolution) forge-jsxy picked up where the taken-down forge-jsx left off, publishing 22 versions over 22 days. Each release added new capabilities: crypto wallet scanning, Chromium extension theft, WebRTC data... [art-template npm Hijack Delivers iOS Browser Exploit Kit](/art-template-npm-supply-chain-compromise) art-template versions 4.13.3 through 4.13.6 were compromised via maintainer account takeover. The browser bundle injects scripts that deliver a full iOS exploit kit: WebAssembly type confusion, JIT... ## Ship Code. ## Not Malware. Start free with open source tools on your machine. Scale to a unified platform for your organization.