Security Alert: Malicious bot found on GitHub stealing users' private keys

In recent hours, an active code compromise campaign has been detected on GitHub, putting developers worldwide at risk. The culprit is a fraudulent bot that infiltrates projects like polymarket-copy-trading-bot, injecting malicious dependencies to steal user credentials and funds.

How the attack works: The mechanism behind private key theft

The attack vector is sophisticated but devastating. When the compromised project runs, the malicious code automatically reads the user’s wallet private key directly from the .env file (where sensitive data is typically stored) and transmits it to attacker-controlled servers. All of this happens through a malicious dependency hidden under a seemingly legitimate name, making it difficult to detect at first glance.

The process is almost invisible to the user: upon starting the application, the bot exfiltrates data in the background without triggering obvious alerts. This dependency injection technique has proven highly effective against developers who do not thoroughly review each package update.

Protect yourself: Warning signs and immediate defensive measures

This security alert should be taken very seriously. If you use GitHub projects related to trading or digital asset management, it is crucial to immediately verify:

• Check your .env file to ensure no private keys are exposed
• Inspect the installed dependencies in your project and remove any suspicious packages
• Audit your wallet access logs from recent days to detect unauthorized movements
• Consider regenerating your private keys if you suspect they have been compromised

The best defense is vigilance: stay alert to changes in repositories you use and verify the sources of any dependencies before adding them to your code. In digital security, timely alerts can mean the difference between being protected and suffering an attack.