Malicious npm Package Targets Polymarket Bot Developers
Developers of trading bots for the Polymarket platform have been targeted through a malicious package called 'sleek-pretty' in the npm repository. Disguised as a logging library, this tool steals sensitive data—including API keys and wallet private keys—putting users at risk of significant financial loss.
Attack Mechanism and Targets
The package was published to npm on April 10 under the account probull02. Once installed into a project, it activates automatically, bypassing standard security checks. Its code is heavily obfuscated, making threat detection difficult.
This attack targets a narrow group: developers building automated systems for Polymarket, a decentralized prediction market platform with hundreds of millions in trading volume. These bots rely on the official SDK, where credentials are typically stored in .env files.
The malicious payload:
- Collects system information: OS, IP address, username.
- Sends stolen data to attacker-controlled servers.
- On Linux, injects an SSH key into authorized_keys for persistent access.
- Scans the filesystem for .env, JSON, and document files, focusing specifically on Polymarket SDK artifacts.
Impact on Victims
With access to this data, attackers can manipulate trades via API and directly drain funds from wallets. Bot accounts often hold hundreds of thousands to millions of dollars, amplifying the financial stakes.
Even uninstalling the package doesn’t eliminate the threat due to the persistent SSH backdoor. Attackers retain server control regardless of password rotation.
Key takeaways:
- The package pretends to be a logging utility but steals Polymarket credentials.
- Installs an SSH backdoor on Linux systems.
- Uses tactics linked to North Korea’s Lazarus Group.
- Users should audit authorized_keys and rotate all secrets immediately.
- This incident highlights supply chain risks in crypto trading software.
Broader Threat Landscape in the npm Ecosystem
The npm registry remains a prime target for supply chain attacks. Between 2023 and 2025, multiple campaigns have targeted cryptocurrency developers—fake packages stealing credentials for DeFi and NFT projects. Lazarus Group, known for breaching major crypto exchanges, frequently employs similar techniques: short-lived accounts and code obfuscation.
Polymarket, which allows betting on real-world events—from elections to sports—attracts high-volume traders. Bots automate these wagers using SDK data, making them attractive targets. The success of such attacks stems from blind trust in npm, hardcoded secrets, and lack of package verification.
Security Recommendations
Bot developers should adopt a layered defense strategy:
- Use secret managers instead of .env files.
- Scan packages for obfuscation using tools like Socket or Snyk.
- Restrict server access permissions.
- Monitor authorized_keys and SSH logs regularly.
- Migrate to verified SDKs with built-in security features.
Industry-Wide Implications
This incident underscores critical vulnerabilities in software supply chains. For the crypto industry, it’s a wake-up call for stricter auditing—compromised keys lead to instant asset theft. Regulators may soon enforce package verification rules, similar to EU DORA standards. While platforms like Polymarket are enhancing their SDKs, developers remain the weakest link. The broader trend shows rising attacks on DeFi, where daily trading volumes exceed $100 billion.
— Editorial Team
No comments yet.