Fake Polymarket Trading Bot Infects DeFi Developers With Credential-Stealing Malware

Polymarket trading bot
Table of Contents

TL;DR:

  • A total of 30 malicious packages distributed across npm accounts were linked to a GitHub repository pretending to be an automated arbitrage tool.
  • At least 53 developers installed the fraudulent program, compromising crypto wallet private keys and browser passwords.
  • The malicious code executed automatically during installation, as it was hidden inside a secondary dependency that was never imported internally.

The decentralized prediction market faces a new cyberattack vector directly targeting its technical community. This Wednesday, security firm SlowMist issued an alert regarding the circulation of a fake Polymarket trading bot on GitHub that distributes malware designed for the mass theft of financial and development credentials.

According to the technical report from the platform SafeDep, the campaign successfully introduced a total of 30 malicious npm packages across multiple fake creator accounts. The fraudulent repository operated under the name “polymarket-arbitrage-bot” and promised to generate estimated profits of over $80,000 per year. The offer caught the attention of the open-source community, reaching 36 stars and 53 forks on the platform before cybersecurity authorities managed to identify the latent threat within the installation files.

The proliferation of these types of scams responds to documented historical precedents within the Polymarket ecosystem. Previous analyses conducted by specialized firms like Dexter’s Lab revealed that certain legitimate automated tools turned sums of $313 into $414,000 within a month. Likewise, independent reports from researcher Igor Mikerin detailed that another automated system generated $2.2 million in revenue over two months, which created a high-trust scenario exploited by the attackers.

Polymarket trading bot

Infection mechanism and source vectors

The configuration process for the fraudulent tool explicitly required victims to enter their private keys into an environment configuration file (.env) before running the system commands. Data from SafeDep points out that the harmful code remained hidden under the guise of a mathematical library named “clob-client-math,” which initiated its activity immediately during the routine download process of external dependencies.

The software’s payload extracts critical databases from local operating systems. Audit reports confirm the theft of information from digital wallets like MetaMask, Phantom, Coinbase Wallet, and TrustWallet, along with SSH access keys, tokens from npm and PyPI platforms, credentials from Amazon Web Services (AWS) cloud environments, and records stored in commonly used password managers.

Industry security researchers preliminarily link this incident to operational cells backed by the North Korean government. The offensive is part of a large-scale strategy called “Contagious Trader,” focused on the decentralized infrastructure sector. This campaign had already recorded prior incidents in the first half of the year, including the compromise of corporate media accounts and the hijacking of 323 software packages in under 30 minutes this past May.

Given the detected vulnerability, the recommendation from SafeDep analysts is that any terminal that completed the installation process must proceed with a total rotation of cryptographic keys and the immediate modification of credentials.

Inspecting the project’s registry files allows confirmation that the suspicious library appeared in the system requirements list but executed no actual operational function within the application’s core lines of code.

 

RELATED POSTS

Ads

Follow us on Social Networks

Crypto Tutorials

Crypto Reviews