Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor
A malicious npm package named sleek-pretty@1. 0. 0 was published on April 10, 2026, targeting developers using automated trading bots on Polymarket. The package executes multiple attack chains immediately upon import, including system fingerprinting, installation of an SSH backdoor on Linux hosts, filesystem data exfiltration, and theft of Polymarket CLOB API credentials and Ethereum/Polygon wallet private keys. The attacker gains persistent access by adding an SSH public key to authorized_keys and can directly drain USDC balances using stolen private keys. Attribution links this campaign to the DPRK's Lazarus Group based on tactics, techniques, and procedures (TTPs) and infrastructure correlations. No official patch or remediation guidance is currently available, and no known exploits in the wild have been reported.
AI Analysis
Technical Summary
The threat involves a malicious npm package, sleek-pretty@1.0.0, which targets developers running trading bots on Polymarket by executing a multi-stage attack upon import. The attack includes system fingerprinting, installing an SSH backdoor on Linux systems for persistent access, exfiltrating filesystem data, and stealing API credentials and private keys related to Polymarket's CLOB API and Ethereum/Polygon wallets. The attacker writes an SSH public key to authorized_keys to maintain access and can use stolen private keys to drain USDC balances. The campaign is attributed to the DPRK's Lazarus Group based on matching TTPs and publisher email infrastructure. There is no indication of a patch or fix, and the service is not cloud-hosted, so remediation depends on user action.
Potential Impact
The impact includes unauthorized persistent access to affected Linux hosts via an SSH backdoor, exfiltration of sensitive filesystem data, theft of Polymarket CLOB API credentials, and Ethereum/Polygon wallet private keys. This enables the attacker to directly drain USDC cryptocurrency balances from compromised wallets. The compromise affects developers using the malicious npm package, potentially leading to significant financial loss and system compromise.
Mitigation Recommendations
No official patch or remediation guidance is currently available. Users should immediately audit their npm dependencies for the presence of the sleek-pretty@1.0.0 package and remove it if found. Review and revoke any compromised API credentials and wallet private keys. Inspect Linux hosts for unauthorized SSH keys in authorized_keys and remove any suspicious entries. Rotate all affected credentials and wallet keys. Monitor for unusual SSH access and consider rebuilding compromised systems. Patch status is not yet confirmed — check vendor advisories or npm security channels for updates.
Indicators of Compromise
- url: http://api.mywalletsss.store/api/validate/system-info
- url: https://api.mywalletsss.store/api/validate/files
- url: https://api.mywalletsss.store/api/validate/project-env
- url: https://api.mywalletsss.store/api/validate/system-info
- domain: mywalletsss.store
- domain: api.mywalletsss.store
Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor
Description
A malicious npm package named sleek-pretty@1. 0. 0 was published on April 10, 2026, targeting developers using automated trading bots on Polymarket. The package executes multiple attack chains immediately upon import, including system fingerprinting, installation of an SSH backdoor on Linux hosts, filesystem data exfiltration, and theft of Polymarket CLOB API credentials and Ethereum/Polygon wallet private keys. The attacker gains persistent access by adding an SSH public key to authorized_keys and can directly drain USDC balances using stolen private keys. Attribution links this campaign to the DPRK's Lazarus Group based on tactics, techniques, and procedures (TTPs) and infrastructure correlations. No official patch or remediation guidance is currently available, and no known exploits in the wild have been reported.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat involves a malicious npm package, sleek-pretty@1.0.0, which targets developers running trading bots on Polymarket by executing a multi-stage attack upon import. The attack includes system fingerprinting, installing an SSH backdoor on Linux systems for persistent access, exfiltrating filesystem data, and stealing API credentials and private keys related to Polymarket's CLOB API and Ethereum/Polygon wallets. The attacker writes an SSH public key to authorized_keys to maintain access and can use stolen private keys to drain USDC balances. The campaign is attributed to the DPRK's Lazarus Group based on matching TTPs and publisher email infrastructure. There is no indication of a patch or fix, and the service is not cloud-hosted, so remediation depends on user action.
Potential Impact
The impact includes unauthorized persistent access to affected Linux hosts via an SSH backdoor, exfiltration of sensitive filesystem data, theft of Polymarket CLOB API credentials, and Ethereum/Polygon wallet private keys. This enables the attacker to directly drain USDC cryptocurrency balances from compromised wallets. The compromise affects developers using the malicious npm package, potentially leading to significant financial loss and system compromise.
Mitigation Recommendations
No official patch or remediation guidance is currently available. Users should immediately audit their npm dependencies for the presence of the sleek-pretty@1.0.0 package and remove it if found. Review and revoke any compromised API credentials and wallet private keys. Inspect Linux hosts for unauthorized SSH keys in authorized_keys and remove any suspicious entries. Rotate all affected credentials and wallet keys. Monitor for unusual SSH access and consider rebuilding compromised systems. Patch status is not yet confirmed — check vendor advisories or npm security channels for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://panther.com/blog/polymarket-trader-funds-at-risk-dprk-npm-package-steals-wallet-keys"]
- Adversary
- Famous Chollima
- Pulse Id
- 69dd07b82c8afdcdfda7a898
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://api.mywalletsss.store/api/validate/system-info | — | |
urlhttps://api.mywalletsss.store/api/validate/files | — | |
urlhttps://api.mywalletsss.store/api/validate/project-env | — | |
urlhttps://api.mywalletsss.store/api/validate/system-info | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainmywalletsss.store | — | |
domainapi.mywalletsss.store | — |
Threat ID: 69dd171882d89c981f125412
Added to database: 4/13/2026, 4:17:28 PM
Last enriched: 4/13/2026, 4:32:01 PM
Last updated: 4/14/2026, 8:14:29 AM
Views: 39
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.