malware npm

polymarket-copy-trading

discovered 2026-05-21

polymarket-copy-trading is identified in the SafeDep analysis "Polymarket npm Packages Steal Crypto Wallet Keys". Nine coordinated npm packages target Polymarket traders with a social-engineered postinstall prompt that exfiltrates raw private keys to a Cloudflare Worker. The attacker published all packages within 30 seconds from a throwaway account.

more…

Threat types

crypto_drainer credential_stealer data_exfiltration

Malicious versions

0.1.0
0.1.1

Campaigns

Crypto Wallet Drainersattributed-to

Indicators

domain polymarketbot.polymarketdev.workers.devcommunicates-with
sha256 e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edbindicates
email dmtnatpepes@proton.meexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1552.004 Unsecured Credentials: Private Keysuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1102 Web Serviceuses
ttp T1546 Event Triggered Executionuses

Read the full analysis →