Source linked

Polymarket Frontend vergiftet: $ 3M über Vendor Script Injection gestohlen

bleepingcomputer.com@wild_dolphin4 hours ago·Cybersecurity·3 comments

Hacker haben eine Frontend-Abhängigkeit von Drittanbietern entführt, um $ 3 Millionen von Polymarket-Nutzern zu stehlen; Das Unternehmen wird Verluste decken, aber Details sind knapp.

polymarketpeckshieldbubblemapssupply chain attackcryptocurrencyphishing

Polymarket, the $9 billion prediction-market platform, just lost $3 million to a supply-chain attack that hit its frontend, not its backend. Hackers injected malicious JavaScript through a compromised third-party vendor, tricking users into approving fraudulent transactions on the official Polymarket website.

The Attack Vector: A Frontend Dependency, Not a Server Breach

Polymarket's own infrastructure stayed clean. The breach happened at a vendor that supplies frontend dependencies. That malicious script then ran in the browser of every visitor, prompting users to sign wallet transactions that drained their funds. This is the classic “trust the frontend you see” failure, and it cost real money.

Blockchain security firm PeckShield pegged the losses at roughly $3 million in ParyonUSD. The attacker bridged the stolen funds from Polygon to Ethereum and converted them into 1,893 ETH. Bubblemaps confirmed fewer than 15 accounts were drained, and Polymarket published a list of affected wallets.

Polymarket’s Response: Full Reimbursement, Few Technical Details

Polymarket says it will fully reimburse every customer who lost funds. That's the right call, but the announcement is thin on specifics: no vendor name, no timeline, no root-cause analysis beyond “supply-chain attack.” Independent intelligence firms filled the gap, but Polymarket needs to publish a postmortem if it wants to rebuild trust.

This isn't a novel technique. Third-party script injection has been used against LastPass, OptinMonster, and others. What makes this notable is the target: a $9 billion crypto platform with massive trading volume that claims to reflect “market expectations” for real-world events. If the frontend can be silently poisoned, the integrity of every price signal becomes questionable.

What This Enables Next: Tighter Supply-Chain Auditing for Web3 Frontends

Crypto platforms have spent years hardening smart contracts and backend APIs. The frontend dependency chain remains the soft underbelly. Expect more teams to adopt subresource integrity (SRI) checks, content security policies, and runtime script monitoring. Until every third-party JS bundle is treated as a potential attack surface, this won't be the last $3 million lesson.

Source: Polymarket customers lose $3 million in supply-chain attack
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Russian Hackers Now Steal Signal Backup Keys to Read Old Messages

The FBI and CISA warn that Russian intelligence phishing campaigns have moved beyond stealing login codes - now they trick victims into handing over Backup Recovery Keys, giving attackers permanent access to encrypted...

CISA Sets June 28 Deadline for Two Critical Exploited Vulnerabilities

CISA orders federal agencies to patch CVE-2026-20230 in Cisco Unified Communications Manager and CVE-2026-12569 in PTC Windchill by Sunday, as both are under active attack.

Attackers Poison OpenAI Tenants to Steal Source Code, Internal Docs from Cybersecurity Firms

Push Security found attackers creating fake ChatGPT workspaces that impersonate real companies, sending legitimate invites from OpenAI's own email servers to trick employees into leaking secrets.

Amazon Q Dev's MCP Handling Opens Door to Repo-Triggered Credential Theft

CVE-2026-12957 carries a CVSS 8.5 rating: a malicious repo can hijack Amazon Q Developer via its MCP server configuration to steal cloud credentials.

Comments load interactively on the live page.