Polymarket Bot Scam Hits 53 Devs in npm Malware Attack
What was the main hacking method used in the Polymarket bot scam?
What kind of information did the attackers steal through this scam?
What is the scale of the losses and how is the scam spreading?

- Hackers used a fake Polymarket trading bot and 30 npm packages to steal wallet keys and credentials.
- At least 53 developers installed or forked the malicious code, exposing sensitive data.
On July 1, 2026 (UTC), SlowMist and SafeDep reported that suspected North Korean hackers targeted DeFi and Polymarket developers with a new malware campaign. The attackers uploaded a fake “polymarket-arbitrage-bot” to GitHub, promising high annual returns and mimicking legitimate Polymarket trading bots to appear credible.
The bot’s GitHub repository quickly attracted attention with claims of over $80,000 per year in earnings and references to successful trading strategies. Within days, the repository received 36 stars and 53 forks, as developers sought to profit from the advertised arbitrage.
The scam instructed users to enter their Polymarket private keys in a configuration file before running “npm install.” This step installed 30 malicious npm packages, including a hidden dependency called clob-client-math. Malware embedded in these packages targeted wallet keys, browser passwords, AWS credentials, SSH keys, API tokens, and similar sensitive information by executing code during installation.
Attackers distributed the malicious packages across multiple new npm accounts, making reputation-based detection difficult. The info-stealing code hid in package.json dependencies and was present but not imported in visible source files, according to SafeDep.
This incident is part of the Contagious Trader campaign, which repeatedly targets the crypto developer community. In March 2026, a related npm account takeover compromised hundreds of packages and resulted in theft from the Axios maintainer, as previously reported by Cryptopolitan.
Security experts advise affected users to treat their systems as compromised, rotate wallet keys, and change all credentials—including passwords, AWS keys, SSH keys, API tokens, and browser-stored passwords. Auditing npm lock files for unused or suspicious dependencies, especially the 30 identified malicious packages, is crucial. Developers should be cautious with npm packages from new or unverified accounts.
At least 53 developers installed or forked the compromised code before the scam was exposed. Researchers warn that any device where the fake bot or related npm packages were installed needs a full security review and immediate credential rotation.
Get real-time crypto breaking news on Unblock Media Telegram! (Click)










