216.73.217.86

Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor

· Published 13/04/2026 17:11 · Modified 13/04/2026 16:23

Export JSON

Essential information

Published
13/04/2026 17:11
Modified
13/04/2026 16:23
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
authorized_keys persistence clob api cryptocurrency theft dprk npm supply chain polymarket sleek-pretty ssh backdoor wallet credential exfiltration
Tags
2026-04-13 authorized_keys persistence clob api cryptocurrency theft dprk npm supply chain polymarket sleek-pretty ssh backdoor wallet credential exfiltration
Related entities
6 indicators, 6 observables, 1 intrusion sets (apt), 1 malware, 4 others

Description

On April 10, 2026, a malicious npm package named @1.0.0 was published, targeting developers running automated trading bots on , a prediction market platform with $477 million in open interest. The package executes four attack chains upon import: system fingerprinting, installation on Linux hosts, filesystem exfiltration, and targeted theft of credentials and Ethereum/Polygon wallet private keys. The payload runs at require() time without install hooks and specifically hunts SDK source files like createClobClient.ts and clob.ts. An SSH public key is written to authorized_keys for persistent access. The attacker can drain USDC balances directly using stolen L1 private keys. Attribution points to 's Famous Chollima (Lazarus Group) based on TTPs matching the TraderTraitor campaign and publisher email correlation with known infrastructure.

External references