npm

polymarket-auto-trade

polymarket-auto-trade is identified in the SafeDep analysis "Polymarket npm Packages Steal Crypto Wallet Keys". Nine coordinated npm packages target Polymarket traders with a social-engineered postinstall prompt that exfiltrates raw private keys to a Cloudflare Worker. The attacker published all packages within 30 seconds from a throwaway account.

discovered 2026-05-21

Threat types

crypto_drainercredential_stealerdata_exfiltration

Malicious versions

0.1.0
0.1.1

Campaigns

Crypto Wallet Drainersattributed-to

Indicators

domainpolymarketbot.polymarketdev.workers.devcommunicates-with
sha256e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edbindicates
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1552.004 Unsecured Credentials: Private Keysuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1102 Web Serviceuses
ttpT1546 Event Triggered Executionuses

Read the full analysis →