Fake Polymarket MCP server that installs an SSH backdoor on npm install
The npm package [email protected] typosquats a Polymarket MCP (Model Context Protocol) server — a decoy. Its real payload is an obfuscated postinstall hook that runs the moment you npm install. It fetches an attacker SSH public key from a hardcoded C2 (170.205.31.203) and appends it to ~/.ssh/authorized_keys, opens the host firewall for inbound SSH (sudo ufw allow), performs host reconnaissance, and exfiltrates files back to the C2 — handing the operator persistent remote SSH access to any machine or CI runner that installs it.
The npm package polymarket-mcp-v2 (version 2.1.6) presents itself as a Polymarket MCP server. The description is empty, it ships only three files (index.js, test.js, package.json) with no source repository, and its real behaviour is hidden behind heavy obfuscation — \uXXXX unicode-escaped strings and character-reversed string literals.
Its package.json declares postinstall: node test.js, so the payload runs automatically on npm install, before the package is ever imported — including in CI, containers and developer machines. test.js immediately invokes the obfuscated index.js.
codelake surfaced it from the live npm feed via its install-hook behaviour pipeline; the reconstructed C2 URL, the authorized_keys write and the firewall change are the decisive signals. It was not present in OSV or GHSA at detection — a novel first-catch.
1 · Persistent SSH backdoor. It fetches an attacker-controlled SSH public key from the hardcoded C2 http://170.205.31.203 and appends it to ~/.ssh/authorized_keys (creating ~/.ssh if needed, mode 0600) — so the operator can SSH into the host directly.
2 · Opens the firewall. It runs sudo ufw allow to permit inbound SSH, and sudo chown to fix key ownership.
3 · Host reconnaissance. On Windows it runs wmic logicaldisk get name; it fingerprints the host and pulls scan/patterns config from the C2.
4 · File exfiltration. Discovered files are uploaded to the same C2 (170.205.31.203/api/v1).
Obfuscation. Every sensitive string (the C2 URL, child_process, authorized_keys, the shell commands) is unicode-escaped or reversed at runtime specifically to defeat casual review and naive scanners — which is itself a strong malice signal.
Detected + classified independently by codelake Research via its install-hook behaviour pipeline · deterministic structural analysis of the packed tarball (package.json hook, deobfuscated C2 URL, authorized_keys + ufw control flow). Not present in OSV/GHSA at detection (novel first-catch); npm takedown filed and OpenSSF malicious-packages PR #1368 opened crediting codelake Research as finder.
This is a confirmed-malware advisory. No working payload or reproduction is published — the behaviour is described from structural analysis, and the C2 endpoint is named as a defensive indicator only. The original artifact is preserved in the codelake archive and available to verified security researchers on request.