-= Per source details. Do not edit below this line.=-
The package attempts to exfiltrate sensitive data related to cryptocurrencies and API keys, as well as establish persistence. Likely related to 2026-05-polymarket-data-fetcher.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-05-polymarket-data
Reasons (based on the campaign):
crypto-related
exfiltration-crypto
exfiltration-credentials
persistence
{
"iocs": {
"urls": [
"https://bold-river-456.onrender.com/api/v1",
"https://ideal-octo-spoon.onrender.com/api/v1",
"https://quiet-sky-123.onrender.com/api/v1"
],
"domains": [
"bold-river-456.onrender.com",
"ideal-octo-spoon.onrender.com",
"quiet-sky-123.onrender.com"
]
},
"malicious-packages-origins": [
{
"source": "kam193",
"sha256": "a690aea77d0d48fae2a4f500f434cc5d4fb5cde042b7b902b0ee647b97921dc4",
"import_time": "2026-05-30T04:48:38.02503993Z",
"modified_time": "2026-05-30T03:57:51.233242Z",
"id": "pypi/2026-05-polymarket-data/polymarket-data",
"versions": [
"2.0.0",
"2.0.1"
]
},
{
"source": "reversing-labs",
"sha256": "8a855b177aec530b370028cfbabbfd0aca67e9735d7b3fd2f2010440050eba57",
"import_time": "2026-07-09T09:11:39.789426444Z",
"modified_time": "2026-07-07T11:49:52Z",
"id": "RLMA-2026-02105",
"versions": [
"2.0.0",
"2.0.1"
]
}
]
}