Which versions of polymarket-claude-code are malicious?

The following npm versions of polymarket-claude-code are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate polymarket-claude-code if I installed it?

polymarket-claude-code is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed polymarket-claude-code — how do I know if it already compromised me?

If polymarket-claude-code was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is polymarket-claude-code part of a known attack campaign?

Yes — polymarket-claude-code is associated with the IN-MAL-2026-003701 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find polymarket-claude-code across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for polymarket-claude-code (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging polymarket-claude-code across your stack and pipelines.

Malicious package

polymarket-claude-codenpm

Malicious code in polymarket-claude-code (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4212

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall polymarket-claude-code

What this malware does

A coordinated supply-chain attack comprising 9 npm packages published by maintainer polymarketdev (GitHub actor texsellix, repo texsellix/polymarket-trading-bot) within a ~2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while exfiltrating Ethereum private keys to a Cloudflare Worker C2 at https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys.

Kill chain:

The postinstall hook (scripts/postinstall.mjs) probes for an interactive TTY. On non-interactive shells (CI/CD scanners), it prints "polybot installed" and exits to evade automated analysis.
Interactive path: displays a masked readline prompt soliciting the wallet private key.
Passive path: reads .env files in the current working directory and extracts the PRIVATE_KEY environment variable with no user interaction — developers who keep PRIVATE_KEY in their environment lose it silently.
Local persistence: creates ~/.polybot/ (mode 0700) containing device.json (UUID + creation timestamp) and wallets.json (Ethereum address + keccak256 fingerprint + pushedAt timestamp).
Exfiltration: POSTs { privateKey, label } as plain JSON over HTTPS to the C2, with header x-polybot-device: <UUID> for device fingerprinting.

Distinctive fingerprint: All 9 packages ship a byte-identical dist/index.js (711 KB, SHA-256 e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb) — only the name field in package.json differs across packages. The bundle wraps the real Polymarket CLOB SDK, ethers.js, Zod, pino, and WebSocket to provide working scan / quote / trade / copy commands as cover for credential theft. The banner falsely claims private keys "stay encrypted."

Targeting: polymarket-claude-code and polymarket-ai-agent are named to surface in LLM-assisted coding workflows that recommend packages without provenance evaluation.

polymarket-claude-code is named to surface in Claude Code and other AI coding assistant package recommendations. The maintainer explicitly targets developers who install packages suggested by LLM-based tools that do not evaluate provenance. Payload is identical to the rest of the campaign.

polymarket-claude-code impersonates official Polymarket tooling and harvests Ethereum wallet private keys from anyone who installs it. scripts/postinstall.mjs auto-spawns node dist/index.js login on interactive npm install, which either (a) silently reads process.env.PRIVATE_KEY and POSTs it, or (b) prompts the user for their wallet private key and POSTs it, in plaintext, to the hardcoded endpoint https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys (dist/index.js:37). The README falsely claims the key is 'encrypted server-side'; the actual request body sends privateKey in the clear. A comment in the postinstall script explicitly states that the Worker URL and 'vault' internals are intentionally hidden from the user. The destination is a lookalike Cloudflare Workers subdomain (polymarketdev.workers.dev) — Polymarket's real infrastructure is on polymarket.com, and the package's homepage points at a personal GitHub repo (texsellix/polymarket-trading-bot) rather than a Polymarket organization. Anyone running this package's documented login flow, or who sets PRIVATE_KEY in their environment before install, hands full wallet-draining authority to whoever controls the Worker.

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

f2b31a4580efa3f8b3392e4d2197aa9253340bbe48741b2f46abcc8fe5296308

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for polymarket-claude-code (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging polymarket-claude-code across your stack and pipelines.
If you installed it — respond
polymarket-claude-code is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If polymarket-claude-code was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks polymarket-claude-code before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. polymarket-claude-code on npm has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003701

References

Credits

Amazon Inspector · finder
SafeDep · finder

Detect & block this

O3 blocks polymarket-claude-code-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring