Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor
Essential information
- Published
- 13/04/2026 17:11
- Modified
- 13/04/2026 16:23
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- authorized_keys persistence clob api cryptocurrency theft dprk npm supply chain polymarket sleek-pretty ssh backdoor wallet credential exfiltration
- Tags
- 2026-04-13 authorized_keys persistence clob api cryptocurrency theft dprk npm supply chain polymarket sleek-pretty ssh backdoor wallet credential exfiltration
- Related entities
- 6 indicators, 6 observables, 1 intrusion sets (apt), 1 malware, 4 others
Description
On April 10, 2026, a malicious npm package named sleek-pretty@1.0.0 was published, targeting developers running automated trading bots on Polymarket, a prediction market platform with $477 million in open interest. The package executes four attack chains upon import: system fingerprinting, SSH backdoor installation on Linux hosts, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials and Ethereum/Polygon wallet private keys. The payload runs at require() time without install hooks and specifically hunts SDK source files like createClobClient.ts and clob.ts. An SSH public key is written to authorized_keys for persistent access. The attacker can drain USDC balances directly using stolen L1 private keys. Attribution points to DPRK's Famous Chollima (Lazarus Group) based on TTPs matching the TraderTraitor campaign and publisher email correlation with known DPRK infrastructure.