According to 23pds, the bot exfiltrated wallet private keys via a hidden dependency to a hacker-controlled server, resulting in asset theft.
On Dec. 21, SlowMist’s chief information security officer 23pds issued a security alert after a community report found the Polymarket-copy-trading-bot contains hidden malicious code. The bot reads wallet private keys from .env files and sends them through the hidden dependency excluder-mcp-package@1.0.4 to a hacker-operated server, causing asset theft. The developer repeatedly modified and resubmitted the malicious package on GitHub after discovery.