BLOG
Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor
Michael
Baker
TL;DR — sleek-pretty@1.0.0 targets developers running Polymarket trading bots. Published April 10, 2026, the package executes at require() time with no install hook, running four attack chains: system fingerprinting, SSH backdoor installation, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials. L2 API keys, L1 wallet private keys, or both may be exposed. Polymarket carries $477M in open interest. Attributed to DPRK/Famous Chollima (Lazarus Group).
What happened
On April 10, 2026, a package named sleek-pretty@1.0.0 was published to npm by a newly registered account, probull02. The package presents as a logging utility and exports a functional Logger object. The malicious payload runs on require(). The payload JavaScript is obfuscated; analysis required deobfuscation before the attack chains were visible.
The package targets developers running automated trading bots on Polymarket, a prediction market platform with $477M in open interest and $9.7B in monthly trading volume. These bots use the official @polymarket/clob-client SDK and store credentials in .env files — L2 CLOB API keys, L1 wallet private keys, or both. sleek-pretty was built specifically to target this configuration.
A prior campaign documented by StepSecurity in 2024–2025 distributed typosquatted Polymarket packages through a hijacked GitHub organisation and used generic .env reads. That campaign resulted in confirmed fund losses. sleek-pretty uses the same approach but adds SDK-specific file targeting and SSH persistence not seen in the earlier campaign.
Date | Event |
|---|---|
2026-04-10 |
|
Who is targeted
The direct targets are developers building automated trading bots on Polymarket using the official @polymarket/clob-client SDK. These developers run bots that execute trades programmatically via the CLOB API and typically store credentials in .env files at the project root — the exact location sleek-pretty reads.
The indirect targets are the traders whose accounts those bots operate on behalf of. Polymarket bots typically run with full trading authority: L2 API credentials that can place and cancel orders, and in many configurations the L1 Ethereum/Polygon private key that controls the underlying USDC balance. A developer whose credentials are stolen is not the only victim — any account the bot manages is exposed to direct fund drain.
Linux developers carry an additional risk. The SSH backdoor is installed only on Linux hosts, giving the attacker persistent machine access that survives package removal and credential rotation. The attack surface extends from credential theft to full host compromise.
The SDK-specific file targeting — hunting createClobClient.ts and clob.ts by name rather than scanning generically for .env files — indicates the attacker built around a specific developer workflow. This is not broad spray-and-pray; it requires prior knowledge of how Polymarket bot developers structure their projects.
How it works
The payload runs four attack chains when the package is first imported. No install hooks are used — the code runs at require() time and returns a normal logger object to the calling application.
System fingerprint. The package collects OS type, local IP address, and username, and sends them to api.mywalletsss[.]store/api/validate/system-info.
SSH backdoor. On Linux, the payload appends an attacker-controlled SSH public key to ~/.ssh/authorized_keys, creating the directory with correct OpenSSH permissions if it does not exist. The key persists after the package is removed.
Filesystem sweep. The payload crawls the user's home directory for .env files, JSON files, and Office documents, and exfiltrates them in batches to /api/validate/files. The crawl root is platform-dependent: the current user's home directory on Linux, all of /Users on macOS, and drive letters C:\ through J:\ on Windows. Office documents (.doc, .docx, .xlsx) are base64-encoded before transmission.
Polymarket credential theft. A dedicated function reads the project .env file and walks up to six directory levels searching for four specific filenames. These filenames are defined as a hardcoded set:
// logger.js — function p84(), hardcoded target filenames
const wantedNames = new Set([
"env.ts",
"config.ts",
"createClobClient.ts",
"clob.ts",
]);
These are the exact source files used by the @polymarket/clob-client SDK. Any matches are exfiltrated to /api/validate/project-env, a dedicated endpoint separate from the general file exfil path.
The Polymarket CLOB API uses two credential tiers: L2 API credentials (apiKey, secret, passphrase) that authorise trading operations, and an L1 Ethereum/Polygon wallet private key (POLYMARKET_PRIVATE_KEY) that signs on-chain transactions and controls the actual USDC balance. The SDK setup guide instructs developers to store both in the same .env file. The filesystem sweep and the project-root .env read both capture that file. With the L1 private key, an attacker can sign Polygon transactions directly and withdraw the full USDC balance from the wallet — no API access required. The L2 credential tier is a separate attack surface on top of that.
Active Polymarket traders carry accounts ranging from hundreds to hundreds of thousands of dollars. The three-endpoint exfil infrastructure and the SDK-specific targeting are not consistent with opportunistic credential harvesting.
Key finding: SSH persistence via authorized_keys write
Most npm infostealers extract credentials and do not persist. This package writes a persistent backdoor key before any exfil takes place.
The SSH authorized_keys injection executes at require() time with no install hook, covering MITRE ATT&CK T1098.004. The attacker key written to ~/.ssh/authorized_keys is:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJxc6YPFfHFzBsAu7z2wZEmwuHc9zBuOoUYrIRM6W+Ai dev-key
Rather than stealing the victim's existing private key, this package writes an attacker-controlled public key into authorized_keys. The attacker gains a standing SSH login that does not depend on the package remaining installed or the application running again.
Why this matters: Removing the package is not sufficient remediation. Any Linux developer who runs sleek-pretty must inspect ~/.ssh/authorized_keys for the attacker key and rotate all credentials.
Key finding: npm package targeting a prediction market SDK
Generic npm infostealers typically target .env files by extension or scan for common variable names such as AWS_SECRET_ACCESS_KEY. Targeting a specific open-source SDK by its internal source filenames requires knowledge of that SDK's file structure and a deliberate choice to build around it.
The dedicated endpoint /api/validate/project-env, which receives both .env content and SDK source files as a structured payload, indicates the infrastructure was designed for this target before deployment.
Why this matters: Dedicated tooling built around DeFi wallet patterns or generic .env scanning will not flag SDK-specific filename targeting. Polymarket developers are unlikely to have purpose-built detection coverage for this technique.
Who is behind this
Attribution: DPRK/Famous Chollima (Lazarus Group).
The publisher email pro.bull02@outlook.com is independently associated with DPRK activity in KMSEC's DPRK threat actor tracking. Our analysis reached this attribution and KMSEC's intelligence confirms it.
The TTPs align with Famous Chollima's documented activity, specifically the TraderTraitor campaign described in CISA advisories AA22-108A and AA23-291A: npm supply-chain attacks against cryptocurrency developers, .env and credential file crawls, wallet-themed C2 domains, and throwaway publisher accounts registered immediately before use. The probull02 account — newly registered, single package — matches the operational pattern documented for this actor.
Detection
Node.js writing to
authorized_keys: Alert on any non-shell, non-sshd process writing to~/.ssh/authorized_keys. Flagnodeas parent process specifically. Covers MITRE T1098.004.
Require-time network activity without install hooks: Flag npm packages where network IOCs are present but
preinstall/postinstallhooks are absent. Detect DNS and HTTP/S activity to novel and new domains.
Outbound POST to
mywalletsss[.]store: Block or alert on outbound POST requests tomywalletsss.storeacross all three exfil paths (Panther rule:npm_c2_mywalletsss_store).
Node.js reading Polymarket SDK source files: Alert on
nodereading files namedcreateClobClient.tsorclob.tsoutside ofnode_modulesshortly after a package installation event. Covers MITRE T1083 and T1552.001.
Indicators of Compromise
IOC | Type | Notes |
|---|---|---|
| Domain | C2 — all exfil endpoints |
| URL | System fingerprint beacon |
| URL | Filesystem crawl exfil |
| URL | Polymarket credential exfil |
| SSH public key (ed25519) | Backdoor persistence (Linux) — written to |
| npm package | Malicious — version 1.0.0 |
| npm publisher account | Single-package throwaway identity |
| Publisher account email |
If you have installed sleek-pretty: Remove the package immediately. Inspect ~/.ssh/authorized_keys for the attacker key listed above and remove it. Rotate every credential in your .env files and Polymarket CLOB configuration — API keys, secrets, passphrases, and your POLYMARKET_PRIVATE_KEY. Treat all files matching .env, *.json, createClobClient.ts, clob.ts, env.ts, and config.ts within your project tree as exfiltrated. If you are on Linux, assume the attacker has had SSH access to your machine since you last ran this package.
See it in action
Most AI closes the alert. Panther closes the loop.
1. Polymarket platform-reported open interest, March 2026. polymarket.com
2. Polymarket platform-reported 30-day trading volume, March 2026. polymarket.com
Share:
RESOURCES
