The OX Research team recently discovered a malicious npm package – polymarket-kit – executing a multi-stage cryptocurrency theft and credential exfiltration campaign. The package specifically impersonates Polymarket to target high-value crypto users. In a new demonstration of sloppy malware – the threat actor left their own GitLab private SSH keys exposed in cleartext within the public package.
The malware also acts as a Remote Access Trojan (RAT), giving full access to the attacker to execute commands on the victim’s machine through a WebSocket connection.
The code also targets cloud providers – Google, AWS and Azure and to harvest keys and configurations.
Note on Campaign Lineage: Similar variations of this campaign, including packages utilizing the names polymarket-, clob-, and kelly-*, were previously flagged by StepSecurity and Panther Labs.
Package name
Affected versions
polymarket-kit
Any
Uninstall the affected packages immediately
Add 2FA to your crypto-currency wallets and check for suspicious transactions
polymarket-kit has a multi-stage dropper logic, with exposed private keys and far more enhanced malicious techniques. This will be the main focus of our technical analysis.
The threat actor left its GitLab private keys and public SSH keys in cleartext inside the package:
The malware contacts svganchordev[.]net which masquerades as an imaging website, and downloads an obfuscated payload which is later executed. This server is also used later as a C2 for uploading exfiltrated data.
The malware’s obfuscated payload:
After we deobfuscated the malware we found a few interesting techniques:
The malware looks for crypto-wallet browser extensions, and tries to steal their data
The malware uses WebSocket to communicate with the remote C2 server
The malware targets not just crypto, but also cloud configurations and tokens
The malware exposes RAT capabilities, allowing the threat actor to fully control the impacted machine.
The list of targeted cryptocurrency extension IDs
nkbihfbeogaeaoehlefnkodbefgpgknn (MetaMask)
bfnaelmomeimhlpmgjnjophhpkkoljpa (Phantom)
ibnejdfjmmkpcnlpebklmnkoeoihofec (TronLink)
ejbalbakoplchlghecdalmeeeajnimhm (Coinbase Wallet)
khpkpbbcccdmmclmpigdgddabeilkdpd (OKX Wallet)
egjidjbpglichdcondbcbdnbeeppgdph (Trust Wallet)
acmacodkjbdgmoleebolmdjonilkdbch (Rabby Wallet)
Hardcoded desktop wallets:
Exodus
Guarda
Electrum
Atomic Wallet
The malware goes over all the extensions inside the user’s browser and tries to extract and decrypt their internal databases
The malware targets cloud providers
Google Cloud
AWS
Azure
The malware tries to upload the decrypted extension data, crypto wallets and cloud data to the remote server:
The malware uses the WebSocket protocol to keep a persistent connection with the threat actor’s servers, and to upload the stolen data:
The malware also gives the remote server full access to the machine, including executing any arbitrary command through the WebSocket using the “exec” function:
svganchordev[.]net
testm@DESKTOP-PO28IS1
Private Key
—–BEGIN OPENSSH PRIVATE KEY—–
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCrR3Mn3AmhNlxIgR5TBIz+lYyM9wpPIGhAxO0PoMDeMAAAAJhdP5NOXT+T
TgAAAAtzc2gtZWQyNTUxOQAAACCrR3Mn3AmhNlxIgR5TBIz+lYyM9wpPIGhAxO0PoMDeMA
AAAEAvDamb9uMEZlR4JCnbcS2KV7TvHygFrtKFceqipGPxuqtHcyfcCaE2XEiBHlMEjP6V
jIz3Ck8gaEDE7Q+gwN4wAAAAFXRlc3RtQERFU0tUT1AtUE8yOElTMQ==
—–END OPENSSH PRIVATE KEY—–
Public Key
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtHcyfcCaE2XEiBHlMEjP6VjIz3Ck8gaEDE7Q+gwN4w testm@DESKTOP-PO28IS1
The post Malware-Slop: Crypto Stealer Impersonating Polymarket Exposes Its Own Credentials appeared first on OX Security.