Back to Home

Malicious npm package steals Polymarket bots keys

Malicious sleek-pretty package in npm targets Polymarket bot developers, stealing API keys and implanting SSH backdoors. The attack is linked to Lazarus Group. Analysis of risks, consequences and protection measures for the crypto industry.

Hackers attacked Polymarket bots via npm: threat details
Advertisement 728x90

Malicious npm Package Targets Polymarket Bot Developers

Developers of trading bots for the Polymarket platform have been targeted through a malicious package called 'sleek-pretty' in the npm repository. Disguised as a logging library, this tool steals sensitive data—including API keys and wallet private keys—putting users at risk of significant financial loss.

Attack Mechanism and Targets

The package was published to npm on April 10 under the account probull02. Once installed into a project, it activates automatically, bypassing standard security checks. Its code is heavily obfuscated, making threat detection difficult.

This attack targets a narrow group: developers building automated systems for Polymarket, a decentralized prediction market platform with hundreds of millions in trading volume. These bots rely on the official SDK, where credentials are typically stored in .env files.

Google AdInline article slot

The malicious payload:

  • Collects system information: OS, IP address, username.
  • Sends stolen data to attacker-controlled servers.
  • On Linux, injects an SSH key into authorized_keys for persistent access.
  • Scans the filesystem for .env, JSON, and document files, focusing specifically on Polymarket SDK artifacts.

Impact on Victims

With access to this data, attackers can manipulate trades via API and directly drain funds from wallets. Bot accounts often hold hundreds of thousands to millions of dollars, amplifying the financial stakes.

Even uninstalling the package doesn’t eliminate the threat due to the persistent SSH backdoor. Attackers retain server control regardless of password rotation.

Google AdInline article slot

Key takeaways:

  • The package pretends to be a logging utility but steals Polymarket credentials.
  • Installs an SSH backdoor on Linux systems.
  • Uses tactics linked to North Korea’s Lazarus Group.
  • Users should audit authorized_keys and rotate all secrets immediately.
  • This incident highlights supply chain risks in crypto trading software.

Broader Threat Landscape in the npm Ecosystem

The npm registry remains a prime target for supply chain attacks. Between 2023 and 2025, multiple campaigns have targeted cryptocurrency developers—fake packages stealing credentials for DeFi and NFT projects. Lazarus Group, known for breaching major crypto exchanges, frequently employs similar techniques: short-lived accounts and code obfuscation.

Polymarket, which allows betting on real-world events—from elections to sports—attracts high-volume traders. Bots automate these wagers using SDK data, making them attractive targets. The success of such attacks stems from blind trust in npm, hardcoded secrets, and lack of package verification.

Google AdInline article slot

Security Recommendations

Bot developers should adopt a layered defense strategy:

  • Use secret managers instead of .env files.
  • Scan packages for obfuscation using tools like Socket or Snyk.
  • Restrict server access permissions.
  • Monitor authorized_keys and SSH logs regularly.
  • Migrate to verified SDKs with built-in security features.

Industry-Wide Implications

This incident underscores critical vulnerabilities in software supply chains. For the crypto industry, it’s a wake-up call for stricter auditing—compromised keys lead to instant asset theft. Regulators may soon enforce package verification rules, similar to EU DORA standards. While platforms like Polymarket are enhancing their SDKs, developers remain the weakest link. The broader trend shows rising attacks on DeFi, where daily trading volumes exceed $100 billion.

— Editorial Team

Advertisement 728x90

Read Next