At stake are the amounts that make you forget about the rules of decency.
On the NPm found a malicious package that is disguised as a harmless tool for logging, but in fact opens access to crypto wallets and developer servers. The attack targets a narrow audience – the authors of trading bots for the Polymarket platform, where hundreds of millions of dollars are spinning.
The package called “sleek-pretty” version 1.0.0 was downloaded to the NPm repository on April 10 from a new probulul02 account. After connecting to the project, the code is started immediately, without the installation stage, and performs several malicious actions at once. To hide the logic, the attackers confused the JavaScript code, and the specialists had to first decrypt it.
The main goal is developers who write automatic bots for trading on Polymarket. Such bots work through the official SDK and usually store access keys and private wallet keys in .env files. It is this data that is looking for malicious code. Moreover, the attack takes into account the structure of the projects and purposefully searches for specific SDK files, and not just through the contents of directories.
After launch, the package collects information about the system, including the type of operating system, IP address, and username, and sends data to the control server. On Linux, there is an additional constant access - an attacker's SSH key is added to the authorized_keys. Such access is stored even after the packet is deleted and the password change.
Next, the code brows the file system, searches for .env, JSON documents and office files, and then transfers them to a remote server. The project files associated with Polymarket are processed separately, including configurations and SDK source code. As a result, attackers receive both APIs for trading and private wallet keys that give full control over the funds.
A combination of access levels is particularly dangerous. With the help of API keys, you can manage orders, and the private key allows you to directly withdraw funds from the wallet, bypassing the platform itself. Given that through such bots manage accounts with amounts of hundreds to hundreds of thousands of dollars, the consequences can be serious.
The analysis points to the connection of the attack with the North Korean group Lazarus, also known as Famous Chollima. The methods used coincide with previous campaigns against crypto service developers - fake packages, theft of configuration files and the use of temporary accounts.
The situation is complicated by the fact that the removal of the package does not solve the problem completely. If there is an SSH access, an attacker can maintain control over the system. Developers who have managed to install “sleek-pretty” are advised to check the authorized_keys file, delete extraneous keys and change all the data, including APIs and private keys.
On the NPm found a malicious package that is disguised as a harmless tool for logging, but in fact opens access to crypto wallets and developer servers. The attack targets a narrow audience – the authors of trading bots for the Polymarket platform, where hundreds of millions of dollars are spinning.
The package called “sleek-pretty” version 1.0.0 was downloaded to the NPm repository on April 10 from a new probulul02 account. After connecting to the project, the code is started immediately, without the installation stage, and performs several malicious actions at once. To hide the logic, the attackers confused the JavaScript code, and the specialists had to first decrypt it.
The main goal is developers who write automatic bots for trading on Polymarket. Such bots work through the official SDK and usually store access keys and private wallet keys in .env files. It is this data that is looking for malicious code. Moreover, the attack takes into account the structure of the projects and purposefully searches for specific SDK files, and not just through the contents of directories.
After launch, the package collects information about the system, including the type of operating system, IP address, and username, and sends data to the control server. On Linux, there is an additional constant access - an attacker's SSH key is added to the authorized_keys. Such access is stored even after the packet is deleted and the password change.
Next, the code brows the file system, searches for .env, JSON documents and office files, and then transfers them to a remote server. The project files associated with Polymarket are processed separately, including configurations and SDK source code. As a result, attackers receive both APIs for trading and private wallet keys that give full control over the funds.
A combination of access levels is particularly dangerous. With the help of API keys, you can manage orders, and the private key allows you to directly withdraw funds from the wallet, bypassing the platform itself. Given that through such bots manage accounts with amounts of hundreds to hundreds of thousands of dollars, the consequences can be serious.
The analysis points to the connection of the attack with the North Korean group Lazarus, also known as Famous Chollima. The methods used coincide with previous campaigns against crypto service developers - fake packages, theft of configuration files and the use of temporary accounts.
The situation is complicated by the fact that the removal of the package does not solve the problem completely. If there is an SSH access, an attacker can maintain control over the system. Developers who have managed to install “sleek-pretty” are advised to check the authorized_keys file, delete extraneous keys and change all the data, including APIs and private keys.
