
30 malicious npm packages linked to a fake Polymarket arbitrage bot compromised wallet private keys and browser passwords for at least 53 developers.
Thirty malicious npm packages disguised as a Polymarket arbitrage bot infected at least 53 developers who installed them, compromising crypto wallet private keys and stored browser passwords. The packages were linked to a GitHub repository that claimed to automate profitable trades on the prediction market platform.
The attack followed a familiar supply-chain pattern. The GitHub project copied the look and documentation of legitimate trading bots but included hidden code that harvested credentials from the infected machine. The npm packages were uploaded under account names designed to mimic legitimate publishers, a tactic that deceives developers who rely on automated dependency resolution.
Once installed, the malware targeted browser-stored passwords and private key files from crypto wallets present on the same machine. Developers working on DeFi frontends, trading interfaces, or smart contract deployment tools are the highest-value targets because their systems may hold direct access to contract owner keys and exchange API tokens.
The npm registry has been a vector for credential-stealing malware before. The 2018 event-stream incident compromised a widely used JavaScript library to target a specific cryptocurrency wallet. The Polymarket impersonation campaign repeats the same method but with a narrower lure – a specific trading bot rather than a general-purpose utility.
Developers who installed any package associated with the fake Polymarket arbitrage tool should treat their private keys as compromised. Rotating all wallet keys, changing stored passwords, and auditing any smart contracts deployed from the infected environment is the only safe response. At least 53 developers downloaded the packages, according to researchers who identified the campaign.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.