AI vs. Supply Chain Security: Learn how to defend your code. Save your seat.

Malware-Slop: Crypto Stealer Impersonating Polymarket Exposes Its Own Credentials

Malware Slop npm’s polymarket kit Leaked Its Own Creator's Keys

polymarket-kit: npm Supply Chain Attack Combines Cloud Harvesting and a WebSocket RAT—Then Exposes Its Own GitLab Credentials

Overview

The OX Research team recently discovered a malicious npm package – polymarket-kit – executing a multi-stage cryptocurrency theft and credential exfiltration campaign. The package specifically impersonates Polymarket to target high-value crypto users. In a new demonstration of sloppy malware – the threat actor left their own GitLab private SSH keys exposed in cleartext within the public package.

The malware also acts as a Remote Access Trojan (RAT), giving full access to the attacker to execute commands on the victim’s machine through a WebSocket connection.

The code also targets cloud providers – Google, AWS and Azure and to harvest keys and configurations.

Note on Campaign Lineage: Similar variations of this campaign, including packages utilizing the names polymarket-*, clob-*, and kelly-*, were previously flagged by StepSecurity and Panther Labs. 

Affected Packages

Package nameAffected versions
polymarket-kitAny
  1. Uninstall the affected packages immediately
  2. Add 2FA to your crypto-currency wallets and check for suspicious transactions

Technical Analysis: polymarket-kit

image

polymarket-kit has a multi-stage dropper logic, with exposed private keys and far more enhanced malicious techniques. This will be the main focus of our technical analysis.

The threat actor left its GitLab private keys and public SSH keys in cleartext inside the package:

image

The malware contacts svganchordev[.]net which masquerades as an imaging website, and downloads an obfuscated payload which is later executed. This server is also used later as a C2 for uploading exfiltrated data.

image

The malware’s obfuscated payload:

image

After we deobfuscated the malware we found a few interesting techniques:

  • The malware looks for crypto-wallet browser extensions, and tries to steal their data
  • The malware uses WebSocket to communicate with the remote C2 server
  • The malware targets not just crypto, but also cloud configurations and tokens
  • The malware exposes RAT capabilities, allowing the threat actor to fully control the impacted machine.

The list of targeted cryptocurrency extension IDs

  • nkbihfbeogaeaoehlefnkodbefgpgknn (MetaMask)
  • bfnaelmomeimhlpmgjnjophhpkkoljpa (Phantom)
  • ibnejdfjmmkpcnlpebklmnkoeoihofec (TronLink)
  • ejbalbakoplchlghecdalmeeeajnimhm (Coinbase Wallet)
  • khpkpbbcccdmmclmpigdgddabeilkdpd (OKX Wallet)
  • egjidjbpglichdcondbcbdnbeeppgdph (Trust Wallet)
  • acmacodkjbdgmoleebolmdjonilkdbch (Rabby Wallet)
image

Hardcoded desktop wallets:

  • Exodus
  • Guarda
  • Electrum
  • Atomic Wallet
image

The malware goes over all the extensions inside the user’s browser and tries to extract and decrypt their internal databases

image
image

The malware targets cloud providers

  • Google Cloud
  • AWS
  • Azure
image

The malware tries to upload the decrypted extension data, crypto wallets and cloud data to the remote server:

image

The malware uses the WebSocket protocol to keep a persistent connection with the threat actor’s servers, and to upload the stolen data:

image

The malware also gives the remote server full access to the machine, including executing any arbitrary command through the WebSocket using the “exec” function:

image

IOCs

  • svganchordev[.]net
  • testm@DESKTOP-PO28IS1

Private Key

—–BEGIN OPENSSH PRIVATE KEY—–

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW

QyNTUxOQAAACCrR3Mn3AmhNlxIgR5TBIz+lYyM9wpPIGhAxO0PoMDeMAAAAJhdP5NOXT+T

TgAAAAtzc2gtZWQyNTUxOQAAACCrR3Mn3AmhNlxIgR5TBIz+lYyM9wpPIGhAxO0PoMDeMA

AAAEAvDamb9uMEZlR4JCnbcS2KV7TvHygFrtKFceqipGPxuqtHcyfcCaE2XEiBHlMEjP6V

jIz3Ck8gaEDE7Q+gwN4wAAAAFXRlc3RtQERFU0tUT1AtUE8yOElTMQ==

—–END OPENSSH PRIVATE KEY—–

Public Key

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtHcyfcCaE2XEiBHlMEjP6VjIz3Ck8gaEDE7Q+gwN4w testm@DESKTOP-PO28IS1

Tags:

post banner image

Security That Moves at the Speed AI Builds

See what your AI agents decide and whether it’s safe before it runs. Connect a repo in minutes.

Get Your Software Secured
Frame 2085668530

Subscribe to Our Newsletter

Stay updated with the latest SaaS insights, tips, and news delivered straight to your inbox.

Group 1261154229