—

MAL-2026-6692

Malicious code in polymarket-trading-developer-tools (npm)

Details

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. `polymarket-trading-developer-tools` uses a dropper technique: a `postinstall` hook downloads configuration from `pm-trading-dev-tools-be.vercel.app` and exfiltrates data to the shared C2 `polymarket-clob-service.vercel.app`. The payload harvests cryptocurrency wallet vaults, browser credentials, SSH keys, AWS credentials, developer secrets, shell history, and password manager databases.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / polymarket-trading-developer-tools

Introduced in: 0

No fixed version published yet for polymarket-trading-developer-tools (npm). Pin to a known-safe version or switch to an alternative.

References

https://safedep.io/defi-infostealer-fake-arbitrage-bot-npm/ [REPORT]