Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in polymarket-clob-maths (npm)

polymarket-clob-maths

Risk score

92

AI summary

Indexed incident for polymarket-clob-maths (npm).

Description

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-clob-maths uses a dropper technique: a postinstall hook fetches a remote bundle from trabalhos-flax.vercel.app and executes a syncSession() function that runs a second-stage infostealer. The payload harvests cryptocurrency wallet vaults, browser credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates the data to the attacker-controlled C2.

Technical details

Affected versions

>=0

Indicators

  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents