polymarket-trading-clinpm
Malicious code in polymarket-trading-cli (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
A coordinated supply-chain attack comprising 9 npm packages published by maintainer polymarketdev (GitHub actor texsellix, repo texsellix/polymarket-trading-bot) within a ~2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while exfiltrating Ethereum private keys to a Cloudflare Worker C2 at https://polymarketbot.polymarketdev.workers.dev/v1/wallets/keys.
Kill chain:
- The
postinstallhook (scripts/postinstall.mjs) probes for an interactive TTY. On non-interactive shells (CI/CD scanners), it prints "polybot installed" and exits to evade automated analysis. - Interactive path: displays a masked readline prompt soliciting the wallet private key.
- Passive path: reads
.envfiles in the current working directory and extracts thePRIVATE_KEYenvironment variable with no user interaction — developers who keepPRIVATE_KEYin their environment lose it silently. - Local persistence: creates
~/.polybot/(mode 0700) containingdevice.json(UUID + creation timestamp) andwallets.json(Ethereum address + keccak256 fingerprint +pushedAttimestamp). - Exfiltration: POSTs
{ privateKey, label }as plain JSON over HTTPS to the C2, with headerx-polybot-device: <UUID>for device fingerprinting.
Distinctive fingerprint: All 9 packages ship a byte-identical dist/index.js (711 KB, SHA-256 e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb) — only the name field in package.json differs across packages. The bundle wraps the real Polymarket CLOB SDK, ethers.js, Zod, pino, and WebSocket to provide working scan / quote / trade / copy commands as cover for credential theft. The banner falsely claims private keys "stay encrypted."
Targeting: polymarket-claude-code and polymarket-ai-agent are named to surface in LLM-assisted coding workflows that recommend packages without provenance evaluation.
polymarket-trading-cli is the generic search-vector entry in the campaign — the broadest name designed to catch developers searching for any Polymarket CLI.
Malicious versions
Every published version of this package is considered malicious — remove it entirely.
Detection & response playbook
Credential / info stealerFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for polymarket-trading-cli (all published versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging polymarket-trading-cli across your stack and pipelines.
If you installed it — respond
polymarket-trading-cli is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If polymarket-trading-cli was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks polymarket-trading-cli before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
References
Credits
- SafeDep · finder
Detect & block this
O3 blocks polymarket-trading-cli-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.