redeem-onchain-sdk is a malicious npm package impersonating a Polymarket on-chain SDK. It collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and a month of git commit history, then ships everything over a raw TCP socket to an AWS-hosted C2. Two triggers fire it: a require() side effect in the package's main entry point (added in v1.0.1) and a postinstall hook (added in v1.0.5). The payload lives in dist/proxy.js, later renamed dist/index5_test.js.
-= Per source details. Do not edit below this line.=-
The package redeem-onchain-sdk was found to contain malicious code.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.7"
],
"sha256": "765d01eed7c5ad80c911fec6f2e1778fb2c14fa7165520416d85273858f7e3e3",
"modified_time": "2026-04-30T21:59:18Z",
"source": "amazon-inspector",
"import_time": "2026-04-30T22:23:13.562263137Z"
}
]
}