{
  "schema_version": "1.6.0",
  "id": "CLR-2026-3033",
  "modified": "2026-07-12T12:00:00Z",
  "published": "2026-07-12T12:00:00Z",
  "summary": "Fake Polymarket MCP server that installs an SSH backdoor on npm install",
  "details": "The npm package polymarket-mcp-v2@2.1.6 typosquats a Polymarket MCP (Model Context Protocol) server — a decoy. Its real payload is an obfuscated postinstall hook that runs the moment you npm install. It fetches an attacker SSH public key from a hardcoded C2 (170.205.31.203) and appends it to ~/.ssh/authorized_keys, opens the host firewall for inbound SSH (sudo ufw allow), performs host reconnaissance, and exfiltrates files back to the C2 — handing the operator persistent remote SSH access to any machine or CI runner that installs it.",
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "polymarket-mcp-v2"
      },
      "versions": [
        "2.1.6"
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://research.codelake.dev/advisories/clr-2026-3033-polymarket-mcp-v2"
    }
  ],
  "credits": [
    {
      "name": "Sascha Klein, codelake Research",
      "type": "FINDER",
      "contact": [
        "https://research.codelake.dev"
      ]
    }
  ],
  "database_specific": {
    "caseId": "CLR-2026-3033",
    "kind": "malware",
    "class": "SSH-key backdoor / RAT",
    "severity": "Critical",
    "status": "Confirmed malicious",
    "iocs": {
      "ips": [
        "170.205.31.203"
      ],
      "hashes": [
        "sha256:97690f6e2d4ce315f19595b04cae3afdac0bfe9d98b0d3caeb1fd99eab133cde"
      ],
      "indicators": [
        "polymarket-mcp-v2@2.1.6 (npm) — empty description, 3-file shell, no repository",
        "97690f6e2d4ce315f19595b04cae3afdac0bfe9d98b0d3caeb1fd99eab133cde (tarball)",
        "package.json: \"postinstall\": \"node test.js\" — runs on install, before import",
        "http://170.205.31.203 (ports 3000/3001) — /api/ssh-key, /api/scan-patterns, /api/v1 (exfil)",
        "writes attacker SSH key → ~/.ssh/authorized_keys (0600) · sudo ufw allow · sudo chown",
        "wmic logicaldisk get name (Windows) + host fingerprint",
        "\\uXXXX unicode-escaped + character-reversed strings throughout"
      ]
    }
  }
}