JavaScript Supply-Chain Risk: Malicious npm Package and Package Manager Guardrail Bypasses
Security researchers reported an npm supply-chain compromise involving a malicious package, polymarket-clob, that targeted cryptocurrency users by exfiltrating sensitive local files (including .env, wallets.json, and keys/*.json) to attacker-controlled infrastructure. The package was published in the npm registry, downloaded at least 189 times (lower bound), and later removed and replaced with a security placeholder; analysis of the code and infrastructure pivoting linked the campaign to broader activity consistent with wallet-drainer operations and Vidar stealer-related infrastructure, including reuse of SSH fingerprints and consistent hosting patterns.
Separately, researchers disclosed six JavaScript “zero-day” bypass issues across multiple package managers—npm, pnpm, vlt, and Bun—that undermine common defensive controls used to reduce supply-chain risk, including disabling lifecycle scripts and relying on lockfile integrity. The issues (dubbed “PackageGate”) reportedly enable paths to regain install-time code execution or weaken integrity guarantees via mechanisms such as Git dependency handling, tar extraction behaviors, and incomplete integrity coverage for URL-based tarballs; pnpm, vlt, and Bun were reported as patched, while npm characterized the behavior as “works as expected,” raising concern that package-manager-level weaknesses could enable large-scale compromise even in hardened environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Panther report links Polymarket npm theft to DPRK-linked tradecraft
A Panther report publicly attributed the malicious npm activity targeting Polymarket traders to DPRK-linked tradecraft, tagged as Famous Chollima. The report also said the package stole wallet keys and installed an SSH backdoor, adding new technical and attribution details to the incident.
npm declines fix, saying behavior works as expected
npm, owned by Microsoft, told researchers that the reported behavior "works as expected" rather than issuing a patch. The response drew criticism that significant package-manager security gaps remained unaddressed.
pnpm, vlt, and Bun patch PackageGate flaws
Following Koi's reporting, pnpm, vlt, and Bun patched the disclosed PackageGate vulnerabilities. The fixes addressed weaknesses including Git dependency handling, incomplete integrity coverage for URL-based tarballs, tar extraction path traversal, and allow-list spoofing.
Koi discloses six PackageGate zero-days in JavaScript package managers
Researchers at Koi disclosed "PackageGate," a set of six zero-day vulnerabilities affecting npm, pnpm, vlt, and Bun. The flaws could bypass common supply-chain defenses such as disabling lifecycle scripts and relying on lockfile integrity hashes, potentially restoring install-time code execution for attackers.
Malicious polymarket-clob package is removed from npm
After its malicious behavior was identified, the "polymarket-clob" package was later removed from the npm registry. The removal followed discovery that it was stealing sensitive data and wallet-related material from users.
Malicious npm package polymarket-clob targets Polymarket users
The npm package "polymarket-clob" was used to exfiltrate sensitive local files, including environment variables and wallet or key material, from Polymarket users to attacker-controlled infrastructure. On-chain evidence from a reported victim showed a small ETH transfer to an address assessed as attacker-controlled.
Vidar Stealer telemetry overlaps with shared infrastructure cluster
Historical telemetry showed one IP in the identified infrastructure cluster overlapping with Vidar Stealer detections during the same timeframe. This indicated the infrastructure had also been used in other malware activity, though not conclusively by the same operator.
Wallet drainer tied to fake Monad testnet infrastructure appears
An older "Monad testnet" GitHub-script wallet drainer was used to harvest Ethereum private keys from wallet.txt files and send them to infrastructure later linked to other malicious activity. Subsequent analysis connected this infrastructure to domains impersonating blockchain testnet services.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Post by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePolymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor - Panther | The Security Monitoring Platform for the Cloud
panther.com
Open sourceInfrastructure Pivoting: Malicious Polymarket npm, Wallet Drainer, and Vidar Stealer | by Cyb3rhawk | ADHD-Attack Detect Hunt Defend | Jan, 2026 | Medium
medium.com
Open sourceSix JavaScript zero-day bugs lead to fears of supply chain attack | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Software Supply Chain Threats Targeting Open-Source Ecosystems and Developer Tooling
Open-source software supply chain risk continued to escalate, with reporting citing **454,600+** newly identified malicious packages across major repositories (including **PyPI, npm, Maven Central, NuGet, and Hugging Face**) and tactics ranging from **credential theft** to **multi-stage attacks** and even early **self-replicating** package malware. The activity reportedly concentrated heavily in **npm**, including high-volume “ecosystem flooding” (e.g., single accounts publishing **150,000+** malicious packages in days) and **hijacking of trusted projects**, exploiting developer reliance on superficial trust signals such as package names, READMEs, and download counts. Separately, researchers disclosed **“PackageGate”** vulnerabilities in JavaScript package managers (**npm, pnpm, vlt, and Bun**) that can bypass common post-incident defenses—namely `--ignore-scripts` and lockfile integrity—enabling malicious code execution via compromised dependencies. Koi Security reported six issues; **pnpm, vlt, and Bun** shipped fixes, while **npm** reportedly treated the behavior as expected. In parallel, threat actors abused **GitHub’s fork architecture** to distribute a spoofed *GitHub Desktop* installer promoted via search ads; execution deployed **HijackLoader** and established persistence via a **scheduled task**, underscoring that supply chain threats extend beyond package registries into developer tooling distribution channels.
Mar 21, 2026
Software Supply-Chain Attacks Abusing GitHub and npm Dependency Mechanisms
Security researchers reported two distinct software supply-chain abuse paths that can make malicious code appear to originate from trusted sources. GMO Cybersecurity by Ierae described an active campaign dubbed **“repo squatting”** that abuses how GitHub renders and links commits from forks: a commit made in an attacker-controlled fork can be viewed under the upstream project’s URL structure, enabling convincing links like `github.com/<official-org>/<repo>/commit/<hash>` that appear to belong to the official repository. The campaign targeted the *GitHub Desktop* project by distributing a trojanized installer carrying **HijackLoader**, with the malicious download link presented in a way that could mislead users and some security tooling into believing it came from the official repo. Separately, Koi researchers disclosed **PackageGate** weaknesses in JavaScript dependency tooling that allow bypassing npm’s post–**Shai-Hulud** mitigations when installing **Git-based dependencies**. They reported that a malicious `.npmrc` in a Git dependency can override the `git` binary path, enabling **code execution even when lifecycle scripts are disabled** (e.g., `--ignore-scripts=true`), affecting multiple tools (including *pnpm*, *vlt*, *Bun*, and *npm*). Vendors reportedly addressed the issue in the non-npm tools, while npm closed the report as “works as expected,” and researchers cited evidence of prior proof-of-concept abuse (e.g., reverse shell) indicating practical exploitation risk for organizations relying on Git dependencies in CI/CD and developer environments.
Mar 21, 2026
npm Supply-Chain Attacks Steal Developer Tokens and Enable Cloud Compromise
Threat actors are using **malicious npm packages** to steal developer credentials and CI/CD secrets, enabling rapid escalation into cloud environments. Google reported that **UNC6426** leveraged keys stolen during the earlier compromise of the *nx* npm ecosystem to pivot from a stolen developer GitHub token into **AWS administrative access within 72 hours**, abusing **GitHub-to-AWS OpenID Connect (OIDC) trust** to create a new admin role. The actor then used that access to **exfiltrate data from AWS S3** and conduct **destructive actions** in production cloud environments; the initial *nx* compromise involved a GitHub Actions `pull_request_target` workflow abuse (“**Pwn Request**”) that enabled publishing trojanized packages containing a `postinstall` chain that executed the **QUIETVAULT** JavaScript credential stealer and uploaded stolen data to a public GitHub repo (`/s1ngularity-repository-1`). Separately, researchers reported new waves of the **PhantomRaven** npm supply-chain campaign distributing **88 additional malicious packages** (via ~50 disposable accounts) that target JavaScript developers by exfiltrating secrets from files like `.gitconfig` and `.npmrc`, environment variables, and CI/CD tokens (e.g., GitHub/GitLab/Jenkins/CircleCI). The campaign uses **slopsquatting** (LLM-suggested lookalike package names) and a stealth technique called **Remote Dynamic Dependencies (RDD)**, where `package.json` pulls a dependency from an external URL so the malicious payload is fetched at install time (`npm install`) and can evade static package inspection; researchers indicated many of these packages remained available in the npm registry at the time of reporting.
Mar 21, 2026