Polymarket Arbitrage Bot on GitHub Was Actually North Korean Malware

Published by James Harris on

Polymarket Arbitrage Bot on GitHub Was Actually North Korean Malware — DeFi

What You Need to Know

  • Fake Polymarket arbitrage bot on GitHub infected 53 developers before detection on July 1, 2026.
  • Legitimate bots extracted $414,000 and $2.2 million from Polymarket, lending credibility to the malicious version.
  • Malware hidden in “clob-client-math” dependency activated upon npm install, stealing crypto wallets and credentials.
  • North Korean “Contagious Trader” operation targeted crypto developers through compromised npm accounts and supply chain attacks.

On July 1, 2026, security firm SlowMist flagged a fake Polymarket arbitrage bot on GitHub that had already been downloaded by at least 53 developers before anyone caught it. The bot promised over $80,000 in annual profits, collected 36 stars and 53 forks, and delivered malware the moment someone ran “npm install.”

The lure was credible because the underlying premise is real. Legitimate bots have genuinely extracted extraordinary returns from Polymarket: one turned $313 into $414,000 in a single month, and another generated $2.2 million over two months, both documented by named researchers. That track record gave the fake bot cover, and the attackers knew it. The setup followed a now-familiar supply chain attack pattern: 30 malicious npm packages spread across multiple fresh accounts, all pointing to one repository. The malware itself was buried inside a dependency called “clob-client-math,” which was listed in the package.json but never actually imported anywhere in the bot’s source code, a tell that would only be visible to someone auditing the dependency tree rather than just running the installer. Security researchers attribute the campaign to North Korean actors running a broader operation called “Contagious Trader,” targeting crypto developers specifically. In March, hackers hijacked an Axios developer’s npm account to push malicious packages; in May, one compromised account was used to take over 323 packages in under 30 minutes.

The instruction to paste a Polymarket private key into a .env file before installation was not a bug in the attack design. It was the point.

Once installed, the malware swept MetaMask, Phantom, Coinbase Wallet, TrustWallet, browser-saved passwords from Chrome, Firefox, and Brave, SSH keys, AWS credentials, npm and PyPI tokens, and data from password managers including Bitwarden, KeePass, and 1Password. That is not a smash-and-grab on one wallet. It is a full-environment compromise, the kind that gives an attacker persistent access across cloud infrastructure, developer pipelines, and any downstream projects the victim touches. This attack lands in a context where Polymarket users were already on edge: a separate phishing campaign in late June drained $2.94 million from at least 11 accounts. Two distinct attack vectors in under two weeks on the same platform suggests coordinated attention, not coincidence.

SafeDep’s guidance is unambiguous: any machine that ran the installer should be treated as fully compromised. Rotate all wallet keys, replace every browser-stored password, cycle AWS credentials, SSH keys, and API tokens. For developers auditing exposure, the simplest check is looking for packages listed in package.json that never appear anywhere in the actual source code.

Categories: News

James Harris

Hi, I’m James Harris, dad of three, professional coffee maker (not drinker, as I make it for my wife), and the unlucky guy who once lost $48 in a crypto scam. Yep, forty-eight bucks. Not life-changing money, but just enough to sting my pride. That little scam lit a fire in me: if I could get fooled, so could anyone. And that’s how DodgeTheScam.com was born. Now I spend my time turning my mistake into your advantage. I dig into scams, fake sites, and shady schemes so you don’t have to learn the hard way. I keep things simple, honest, and sometimes funny, because staying safe online doesn’t have to feel like homework. My mission? To help you dodge scams, save your hard-earned money, and maybe give you a laugh or two along the way.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *