Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in polymarket-trading-developer-tools (npm)

polymarket-trading-developer-tools

Risk score

92

AI summary

Indexed incident for polymarket-trading-developer-tools (npm).

Description

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-trading-developer-tools uses a dropper technique: a postinstall hook downloads configuration from pm-trading-dev-tools-be.vercel.app and exfiltrates data to the shared C2 polymarket-clob-service.vercel.app. The payload harvests cryptocurrency wallet vaults, browser credentials, SSH keys, AWS credentials, developer secrets, shell history, and password manager databases.

Technical details

Affected versions

>=0

Indicators

  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents