polymarket-copy-tradingnpm

A coordinated supply-chain attack comprising 9 npm packages published by maintainer polymarketdev (GitHub actor texsellix, repo texsellix/polymarket-trading-bot) within a ~2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while exfiltrating Ethereum private keys to a Cloudflare Worker C2 at https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys.

Kill chain:

• The postinstall hook (scripts/postinstall.mjs) probes for an interactive TTY. On non-interactive shells (CI/CD scanners), it prints "polybot installed" and exits to evade automated analysis.
• Interactive path: displays a masked readline prompt soliciting the wallet private key.
• Passive path: reads .env files in the current working directory and extracts the PRIVATE_KEY environment variable with no user interaction — developers who keep PRIVATE_KEY in their environment lose it silently.
• Local persistence: creates ~/.polybot/ (mode 0700) containing device.json (UUID + creation timestamp) and wallets.json (Ethereum address + keccak256 fingerprint + pushedAt timestamp).
• Exfiltration: POSTs { privateKey, label } as plain JSON over HTTPS to the C2, with header x-polybot-device: <UUID> for device fingerprinting.

Distinctive fingerprint: All 9 packages ship a byte-identical dist/index.js (711 KB, SHA-256 e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb) — only the name field in package.json differs across packages. The bundle wraps the real Polymarket CLOB SDK, ethers.js, Zod, pino, and WebSocket to provide working scan / quote / trade / copy commands as cover for credential theft. The banner falsely claims private keys "stay encrypted."

Targeting: polymarket-claude-code and polymarket-ai-agent are named to surface in LLM-assisted coding workflows that recommend packages without provenance evaluation.

polymarket-copy-trading targets developers seeking copy-trading workflows. Payload is identical to the rest of the campaign.

On npm install in a TTY, scripts/postinstall.mjs auto-spawns dist/index.js login, which prompts the installer to paste an Ethereum/Polymarket wallet private key (validated as 0x-prefixed 32-byte hex) and then POSTs the plaintext key to https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys. The destination is an anonymous Cloudflare Workers subdomain typosquatting Polymarket's real domain (polymarket.com) — not Polymarket infrastructure. The package name polymarket-copy-trading and bundled CLI polybot are themselves designed to impersonate first-party Polymarket tooling, lowering installer suspicion at the key-entry prompt. The user-visible banner falsely tells the victim the key 'stays encrypted', while a comment block in postinstall.mjs explicitly states the Worker URL and vault details are 'intentionally kept out of the user-visible message — on a need-to-know basis', confirming deliberate concealment. Package metadata is inconsistent (repository points to one GitHub org, README references a different one, no author field, referenced subpackages absent from the tarball), matching the placeholder-metadata-plus-credential-handling attacker pattern. Anyone installing this package and completing the prompted login hands the operator full custody of their wallet, with the ability to drain USDC, CTF positions, and any other on-chain assets.