Polymarket npm Packages Steal Crypto Wallet Keys

Nine malicious npm packages impersonating Polymarket trading tools were published on May 20, 2026, by the account "polymarketdev," stealing cryptocurrency wallet private keys upon installation. The packages execute a postinstall script that prompts users to paste their private key under the false claim that "it stays encrypted," then sends the raw key in plaintext to an attacker-controlled Cloudflare Worker endpoint. The campaign targets developers and traders, with one package specifically designed to exploit users of AI coding assistants, and the malware also harvests private keys from environment variables and creates persistent tracking files on infected systems.

Polymarket npm Packages Steal Crypto Wallet Keys Table of Contents TL;DR Nine npm packages published within a 30 second window by the same throwaway account polymarketdev impersonate Polymarket trading CLI tools. On install, a postinstall script displays a fake wallet onboarding prompt that asks the user to paste their private key, claiming “it stays encrypted.” The script POSTs the raw key in plaintext to a Cloudflare Worker at hxxps://polymarketbot . polymarketdev . workers . dev/v1/wallets/keys . No encryption happens at any point. One package, polymarket-claude-code , targets developers using AI coding assistants for trading workflows. Impact: - Exfiltrates raw Ethereum/Polygon private keys to attacker-controlled infrastructure - Social engineers victims into pasting private keys with a false “stays encrypted” claim - Creates a persistent ~/.polybot/ directory with a device fingerprint, enabling victim tracking across sessions - Reads .env files from the current working directory, harvests any PRIVATE KEY environment variable without user interaction - Evades detection in CI/CD: the prompt only triggers in interactive TTY sessions Indicators of Compromise IoC : | Type | Value | |---|---| | npm packages | polymarket-trading-cli , polymarket-terminal , polymarket-trade , polymarket-auto-trade , polymarket-copy-trading , polymarket-bot , polymarket-claude-code , polymarket-ai-agent , polymarket-trader all versions | | npm publisher | polymarketdev | | C2 endpoint | hxxps://polymarketbot . polymarketdev . workers . dev | | Exfiltration path | /v1/wallets/keys POST | | GitHub actor | texsellix github . com/texsellix | | GitHub repo | texsellix/polymarket-trading-bot | | Payload SHA-256 dist/index.js | e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb | | Local artifact | ~/.polybot/device.json , ~/.polybot/wallets.json | Analysis Package Overview All nine packages were published on May 20, 2026, between 23:30 and 23:32 UTC by the npm account polymarketdev , registered to a Proton Mail address . Each package had two versions 0.1.0 and 0.1.1 published within two minutes. The only difference between packages is the email protected /cdn-cgi/l/email-protection name field in package.json . All nine ship the same dist/index.js payload SHA-256: e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb . The package.json metadata across all nine packages points to a single GitHub repository, texsellix/polymarket-trading-bot , which has 69 stars and 22 forks. The repository README describes an elaborate monorepo architecture “four packages: CLI, SDK, Core, Engine” and makes explicit security claims: “Wallet keys are encrypted before they leave your machine” and “Plaintext keys live in memory only at sign time.” Both claims are false, as the source code confirms below. The package names cover multiple search vectors a Polymarket trader might try: generic polymarket-trade , polymarket-bot , workflow-specific polymarket-copy-trading , polymarket-auto-trade , and AI-tooling-specific polymarket-claude-code , polymarket-ai-agent . polymarket-claude-code targets developers using AI coding assistants for trading, a growing pattern in crypto circles. Execution Trigger The attack chain starts with a postinstall hook in package.json : The postinstall.mjs script checks for an interactive TTY before displaying any output. In CI/CD pipelines or non-interactive shells, it prints a one-liner “polybot installed” and exits, avoiding detection by automated security tooling: When a TTY is present, the script renders a colorful banner with ANSI escape codes and a direct call to action: “it stays encrypted” is false. The script spawns the bundled dist/index.js with the login subcommand, which handles key collection and exfiltration. Private Key Collection The login command e2 in the bundled code collects the private key through one of two paths: Path 1: Interactive prompt. A masked readline prompt displays asterisks as the user types, mimicking a password field. The raw key is retained in memory: Path 2: Environment variable. The code also reads PRIVATE KEY from the environment or from a .env file in the current directory: The .env loader runs before any prompt: Any project with a .env file containing PRIVATE KEY=0x... common in Polymarket bot development loses that key without the user seeing any prompt. Data Exfiltration The code sends the collected key to the attacker’s Cloudflare Worker in plaintext JSON: push sends { privateKey: "0x...", label: "..." } as a plain JSON body. The raw hex private key travels over HTTPS to the Worker, but no client-side encryption happens. The “encrypted in transit” claim from the README refers to TLS alone, which protects the key from network observers but not from the Worker operator the attacker . The x-polybot-device header contains a UUID generated on first run and persisted to ~/.polybot/device.json , letting the attacker correlate multiple keys from the same victim. Local Persistence The package creates a ~/.polybot/ directory with two files: device.json : contains a deviceId UUID and createdAt timestamp, written with mode 0600 wallets.json : stores the Ethereum address, a keccak256 fingerprint of the key, an optional label, and a pushedAt timestamp The fingerprint function uses keccak256 truncated to 8 bytes not reversible to the key , but the raw key has already left the machine at this point. The local files serve as tracking artifacts. The Credibility Apparatus The attacker built a credibility layer around the theft: GitHub repository texsellix/polymarket-trading-bot with 69 stars and 22 forks likely purchased or botted Detailed README describing a monorepo with four packages, proxy wallet support, and multiple trading strategies SECURITY.md and CONTRIBUTING.md files in the repo, mimicking mature open source projects Paper trading default “Every trading command runs in paper mode by default. Add --live to commit real USDC.” that suggests careful, user-friendly design Masking input as asterisks during the prompt, mimicking legitimate password entry patterns Professional error messages “couldn’t reach polybot. check your connection and try again.” that disguise exfiltration failures as network errors The bundled dist/index.js 711 KB includes legitimate dependencies: the full Polymarket CLOB client SDK, ethers.js, Zod validation, pino logger, and WebSocket handling. The attacker wrapped real trading functionality around the theft. Commands like scan , quote , trade , and copy make real Polymarket API calls. Someone who installs the package and uses it for trading may never suspect the “login” step was the entire attack. Conclusion The attacker built a functional trading CLI around a credential theft operation. Social engineering carries the attack: the postinstall prompt looks like standard wallet onboarding, the masking mimics secure input, and the GitHub repo provides false credibility. The .env harvesting path is the more dangerous vector. Developers who store PRIVATE KEY in their environment standard practice for Polymarket bot development lose their keys without seeing any prompt. Two of the package names polymarket-claude-code , polymarket-ai-agent target developers who install packages suggested by LLM-based tools, which may not evaluate package provenance. If you installed any of these packages, rotate any wallet keys that were entered or present in your environment. Check for ~/.polybot/ and remove it. Scan your project dependencies with vet https://github.com/safedep/vet to catch packages from single-version, single-maintainer accounts with no prior publish history. For runtime protection against malicious postinstall scripts, can intercept and block unauthorized network calls and filesystem access during package installation. https://github.com/safedep/pmg pmg References - vet - malware - npm - supply-chain - crypto - wallet-drainer Author SafeDep Team safedep.io Share The Latest from SafeDep blogs Follow for the latest updates and insights on open source security & engineering 141 npm Packages Abuse Registry as Adware Hosting /malicious-npm-terminal3airport-proxy-adware-spam npm account terminal3airport published 141 packages containing a web proxy unblocker disguised as tutoring websites. The packages load popunder ads, external monetization scripts, and Google... Megalodon: Mass GitHub Repo Backdooring via CI Workflows /megalodon-mass-github-repo-backdooring-ci-workflows Over 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The "megalodon" campaign targeted... forge-jsxy: 22 Versions of an Actively Developed npm RAT /malicious-forge-jsxy-npm-rat-evolution forge-jsxy picked up where the taken-down forge-jsx left off, publishing 22 versions over 22 days. Each release added new capabilities: crypto wallet scanning, Chromium extension theft, WebRTC data... art-template npm Hijack Delivers iOS Browser Exploit Kit /art-template-npm-supply-chain-compromise art-template versions 4.13.3 through 4.13.6 were compromised via maintainer account takeover. The browser bundle injects scripts that deliver a full iOS exploit kit: WebAssembly type confusion, JIT... Ship Code. Not Malware. Start free with open source tools on your machine. Scale to a unified platform for your organization.