redeem-onchain-sdk is a malicious npm package impersonating a Polymarket on-chain SDK. It collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and a month of git commit history, then ships everything over a raw TCP socket to an AWS-hosted C2. Two triggers fire it: a require() side effect in the package's main entry point (added in v1.0.1) and a postinstall hook (added in v1.0.5). The payload lives in dist/proxy.js, later renamed dist/index5_test.js.
-= Per source details. Do not edit below this line.=-
The package redeem-onchain-sdk was found to contain malicious code.
1.0.7Exploitability
AV:NAC:LPR:NUI:NScope
S:CImpact
C:HI:HA:H10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H