A Fourth Indirect-Trust Vector Just Surfaced. Polymarket Bot Stole Wallet Keys Through A Hijacked Verified GitHub Org. Also We Now Have ShinyHunters' Leak-Site Onion.

I wrote a blog this morning naming three indirect-trust supply-chain vectors that hit corporate developers in May 2026 — Laravel-Lang tag-pointers, Megalodon workflow files, Ghost CMS themes — and called it a doctrine that the criminal marketplace had crossed into operational use. Six hours later, while back-filling adversary profiles into our IOC index, our extractor surfaced an unexpected URL inside a TeamPCP-related research article: a Cloudflare Workers endpoint at polymarketbot.polymarketdev.workers.dev serving a /v1/wallets/keys path. That URL was the entry point to a fourth campaign, fully documented by StepSecurity's threat intelligence team, that fits the same doctrine and adds a crypto-theft revenue surface to the pattern.

The campaign

The dev-protocol GitHub organization is a verified-account Japanese DeFi project established in April 2019 with 568 followers. Starting on or around February 26, 2026, that organization was hijacked. Attackers using accounts named insionCEO (commits) and wizardev-sol (issue management) published a new repository called polymarket-copytrading-bot-sport. The repository advertised itself as a copy-trading bot for Polymarket, the prediction-market platform — bait-shaped for the same crypto-trader audience that has lost over half a million dollars to Polymarket-themed phishing across the last year.

The malicious payload lives in the npm dependency chain of the bot. Four packages: [email protected] (impersonates big.js, wraps the next package), [email protected] (typosquat of bignumber.js, wraps the next package), [email protected] (J2TEAM-obfuscated file stealer that exfiltrates .env, id.json, config.toml, Config.toml), and [email protected] (anti-tamper-obfuscated SSH backdoor installer with a postinstall hook that writes attacker keys to ~/.ssh/authorized_keys). Two seconds after npm install finishes, the SSH backdoor is configured. Four seconds after the bot starts, the file exfiltration begins. Sixteen seconds, end to end, from clone to compromise.

The exfiltration endpoint is cloudflareguard.vercel.app/api/v1. The command-and-control endpoint is cloudflareinsights.vercel.app. Both are Vercel-hosted free-tier deployments that impersonate Cloudflare's product naming to camouflage outbound HTTPS in network telemetry. Vercel does not pre-vet .vercel.app subdomains for brand impersonation, which is the structural primitive the attacker exploits at the egress layer the way the dev-protocol org hijack exploited it at the source-code layer.

Why this is the fourth vector, not just another supply-chain attack

The shape that unifies the four campaigns in our index this week is the indirect-trust artifact layer. The defender's review eye is on the primary artifact — the Composer lockfile, the GitHub repository, the published theme, the npm dependency name — and the compromise lives in an adjacent layer that the primary artifact points to. Laravel-Lang attacked the tag-to-commit address. Megalodon attacked the workflow file inside the repository. Ghost CMS attacked the theme rendering pipeline downstream of the published page. Polymarket Bot attacked the published GitHub organization's verified-status reputation, which is the indirect-trust signal that gets a developer to clone a repository without auditing the dependency tree.

Verified-org reputation hijack is the most consequential of the four because it scales with the historical accumulation of the organization's reputation. A new GitHub org with 568 followers and seven years of commits is, in every defender's heuristic, more trustworthy than the same code in a freshly registered org. The attacker who hijacks the verified org gets to ride seven years of accumulated trust signal for the cost of one credential compromise on a maintainer account. The post-hijack distribution of the malicious package looks identical, to the defender's eye, to the legitimate distribution of a legitimate package — until the file exfiltration starts sixteen seconds after install.

DugganUSA's IOC index now carries the nine concrete indicators tied to the campaign: the four malicious npm packages, the two Vercel-hosted attacker domains, the compromised GitHub repository URL, and the two attacker GitHub usernames. Source-tagged research-import-polymarket-bot-2026-05-24. Defenders consuming our STIX feed have the indicators inside the SIEM tonight.

And while we were here

The same back-fill that surfaced the Polymarket URL also surfaced something we did not have before: shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion is the ShinyHunters leak-site Tor address. Dominic Alvieri pushed it publicly on X earlier this year, ANY.RUN has it sandboxed, ransomware.live tracks it, but our adversary index did not carry it as a structured record until the ShinyHunters profile we wrote yesterday pulled it into the iocs index this evening through the back-fill pipeline.

For ShinyHunters-victim organizations — Instructure, Cushman & Wakefield, NVIDIA Armenia, and the next eight on the leak board — that .onion is the canonical destination where stolen data lands if the ransom does not get paid. Customers consuming our feed who are running ShinyHunters-targeted infrastructure should treat any outbound connection attempts to that hostname from inside the perimeter as a sign that the adversary has staged exfiltration tooling on internal hardware. We do not deliver the .onion to consumer browsers; we deliver it to defender SIEM correlation as a high-confidence destination indicator.

The asymmetric edge that travels

Two adversary profiles back-filled tonight. Fifty-five IOCs landed. Inside the noise, three high-value artifacts surfaced: the Tiledesk poisoning commit hash, the Polymarket Bot supply-chain campaign in its entirety, and the ShinyHunters .onion. Each one belongs to a different operator. Each one is the same doctrine in a different vector. The Polymarket campaign in particular adds the verified-org hijack to the catalog and pushes the doctrine into the cryptocurrency-revenue surface that previously sat outside our CI/CD-flavored receipts.

Four vectors in three weeks. The doctrine has compounded. The next campaign that fires will use one of the same four vectors, or a fifth that fits the same shape. The defender who learned the shape this week will catch it on the day it lands.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com