WikiBit 2026-07-02 08:02Hackers created a fake trading bot for Polymarkets prediction markets on GitHub. The bot was used to
Hackers created a fake trading bot for Polymarkets prediction markets on GitHub. The bot was used to spread malware that steals credentials like wallet keys and browser passwords.
30 malicious packages were found across several npm accounts, reportedly targeting developers and traders who use automated strategies. At least 53 developers fell for the trap before it was flagged.
How did a fake bot spread to over 53 developers?
On July 1, 2026, the security firm SlowMist flagged a fake trading bot that promised big profits on Polymarket but was actually just a delivery vehicle for malware. SafeDep found 30 malicious npm packages spread across multiple accounts and tied to one fake GitHub repository.
The criminals posted a “polymarket-arbitrage-bot” that claimed to make over $80,000 per year. It got 36 stars and 53 forks before the scam was exposed. Every developer who downloaded and installed it ran the malware.
The attackers were aware of the fact that real trading bots have made huge money on Polymarket.
One bot profiled by prediction-markets analyst Dexters Lab turned $313 into $414,000 in just one month, while another, analyzed by researcher Igor Mikerin, made $2.2 million over two months. This track record made the fake bot look believable to traders chasing easy profits.
The instructions for this fake trading bot included having users put their Polymarket private key into a .env file before running “npm install.” During installation, the malware, which is hidden inside a dependency called “clob-client-math”, would run.
The malware steals a lot of sensitive data, including:
What should you do if you downloaded the fake bot?
Security researchers believe North Korean hackers are behind this attack. The group is running a larger campaign called “Contagious Trader” that targets crypto developers.
Cryptopolitan reported in March that hackers took over an Axios developers account and published malicious npm packages. In May, one compromised account was used to take over 323 packages in under 30 minutes.
Polymarket users have also faced other attacks this year, like when, in late June, a phishing scam drained $2.94 million from at least 11 accounts.
SafeDep says any computer that ran “npm install” on the fake bot should be treated as hacked. Such individuals are advised to rotate all crypto wallet keys right away, change every password stored in their browser, and replace all AWS credentials, SSH keys, and API tokens.
Traders are also advised to check their npm lock files for the 30 malicious packages by looking for dependencies that appear in package.json but never get used in the code. The repository‘s “package.json” in this attack listed four dependencies, but only three (the official Polymarket SDK, ethers, and dotenv) were legitimate. The fourth, clob-client-math, which hid the malware, was never imported anywhere in the bot’s source code.
The best defense is checking if packages come from new accounts with no publishing history, as all the fake packages were published by brand-new accounts.
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
XRP утримується понад $1 після ліквідації позицій із кредитним плечем, оскільки активність мережі покращується
WikiBit 2026-07-01 22:27Symbiotic officially pivots to collateral markets with Core V2 launch
WikiBit 2026-07-01 20:00Ripple, Coinbase among top donors in crypto's $189 million election spending: report
WikiBit 2026-07-01 18:49Europe's MiCA rollout sparks debate over who wins under new crypto rules
WikiBit 2026-07-01 22:23Live markets: bitcoin bounces to $60,000 after Warsh comments, economic data
WikiBit 2026-07-01 22:24CoinDesk Wins a Polk Award, One of Journalism's Top Prizes, for Explosive FTX Coverage
WikiBit 2026-07-01 22:22Aave logs biggest network-growth day in nearly 5 years as DeFi interest returns
WikiBit 2026-07-01 22:23Bitso unveils the 'Hybrid Finance' era as stablecoins reshape global payments
WikiBit 2026-07-02 04:00Kalshi hit with 14-day restraining order in Michigan, blocking sports prediction markets in state
WikiBit 2026-06-30 17:23Ethereum Foundation lays out use cases for governments, institutions in new policy guide
WikiBit 2026-07-02 02:000.00