Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor
Contents
BLOG
Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor
Michael
Baker
TL;DR â [email protected]
targets developers running Polymarket trading bots. Published April 10, 2026, the package executes at require()
time with no install hook, running four attack chains: system fingerprinting, SSH backdoor installation, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials. L2 API keys, L1 wallet private keys, or both may be exposed. Polymarket carries $477M in open interest. Attributed to DPRK/Famous Chollima (Lazarus Group).
What happened
On April 10, 2026, a package named [email protected]
was published to npm by a newly registered account, probull02
. The package presents as a logging utility and exports a functional Logger
object. The malicious payload runs on require()
. The payload JavaScript is obfuscated; analysis required deobfuscation before the attack chains were visible.
The package targets developers running automated trading bots on Polymarket, a prediction market platform with $477M in open interest and $9.7B in monthly trading …
Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor
Michael
Baker
TL;DR â [email protected]
targets developers running Polymarket trading bots. Published April 10, 2026, the package executes at require()
time with no install hook, running four attack chains: system fingerprinting, SSH backdoor installation, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials. L2 API keys, L1 wallet private keys, or both may be exposed. Polymarket carries $477M in open interest. Attributed to DPRK/Famous Chollima (Lazarus Group).
What happened
On April 10, 2026, a package named [email protected]
was published to npm by a newly registered account, probull02
. The package presents as a logging utility and exports a functional Logger
object. The malicious payload runs on require()
. The payload JavaScript is obfuscated; analysis required deobfuscation before the attack chains were visible.
The package targets developers running automated trading bots on Polymarket, a prediction market platform with $477M in open interest and $9.7B in monthly trading …
IoC
http://api.mywalletsss.store/api/validate/system-info
http://mywalletsss.store
[email protected]
[email protected]
[email protected]
http://mywalletsss.store
[email protected]
[email protected]
[email protected]