DeFi developers and users of Polymarket trading bots targeted in new npm package for information theft



Hackers created a fake trading bot for Polymarket’s prediction markets on GitHub. The bot was used to spread malware that steals credentials such as wallet keys and browser passwords.

30 malicious packages were found across multiple npm accounts, reportedly targeting developers and traders using automated strategies. At least 53 developers fell into the trap before it was flagged.

How did the fake bot spread to over 53 developers?

On July 1, 2026, the security company Slow fog is marked A fake trading bot that promised big profits on Polymarket but is actually just a delivery vehicle for malware. SafeDep.found 30 malicious npm packages spread across multiple accounts and linked to a single fake GitHub repository.

The criminals deployed a “multi-market arbitrage bot” that claimed to earn more than $80,000 a year. She earned 36 stars and 53 forks before the scam was exposed. Every developer who downloaded and installed it ran the malware.

The attackers were aware of the existence of real trading bots Earn big money on Polymarket.

One bot described by predictive markets analyst Dexter’s Lab turned $313 into $414,000 in just one month, while another bot, analyzed by researcher Igor Mikrin, made $2.2 million over two months. This track record makes the fake robot seem believable to traders looking for easy profits.

The instructions for this fake trading bot included asking users to put their Polymarket key into an .env file before running an ‘npm install’. During installation, malware hidden inside a dependency called “clob-client-math” will run.

Malware steals a lot of sensitive data, including:

  • Crypto wallet data from MetaMask, Phantom, Coinbase Wallet, TrustWallet and others.
  • Browser data such as saved passwords and cookies from Chrome, Firefox, and Brave.
  • SSH keys, AWS login details, npm and PyPI tokens.
  • Data from password managers such as Bitwarden, KeePass, and 1Password.
  • Private keys and API tokens.

What should you do if you download a fake bot?

Security researchers believe that North Korean hackers are behind this attack. The group is running a larger campaign called “Contagious Trader” targeting cryptocurrency developers.

Cryptopolitan reported In March, hackers took over an Axios developer’s account and deployed malicious npm packages. In May, one compromised account was used to seize 323 packages in less than 30 minutes.

Polymarket users have also faced other attacks this year, such as what happened in late June Phishing scam It drained $2.94 million from at least 11 accounts.

SafeDep says any computer running “npm install” on the fake bot should be treated as compromised. These individuals are advised to immediately rotate all crypto wallet keys, change every password stored in their browser, and replace all AWS credentials, SSH keys, and API tokens.

Traders are also advised to check their npm lock files for 30 malicious packages by looking for dependencies that appear in package.json but are never used in the code. The repository’s “package.json” file in this attack listed four dependencies, but only three of them (the official Polymarket SDK, ethers, and dotenv) were legitimate. The fourth, clob-client-math, which concealed the malware, was never imported anywhere in the bot’s source code.

The best defense is to check if the packages come from new accounts with no posting history, as all fake packages were posted by completely new accounts.

Don’t just read cryptocurrency news. Understand that. Subscribe to our newsletter. It’s free.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *