Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: polymarket (1 article)Clear

Polymarket users lose nearly $3 million in website supply-chain attack

The crypto prediction market Polymarket says attackers stole close to $3 million from users after compromising a third-party vendor and injecting a malicious script into the platform's website. The script ran on the live site and prompted users connecting their wallets to approve transactions that drained their funds; researchers traced roughly $2.94 million taken from around a dozen accounts and bridged into Ethereum. Because the attack rode in through a trusted frontend dependency rather than Polymarket's own systems, it was invisible to users. Polymarket removed the dependency, contained the incident, and pledged full refunds. It was the platform's second security incident in two months.

Check
Review the third-party scripts and dependencies loaded by your web frontends, and confirm you would detect unauthorized changes to them; users should be wary of unexpected wallet-signing prompts.
Affected
Web platforms that load third-party frontend dependencies, and their users; a single compromised vendor can inject wallet-draining or credential-stealing code that runs as trusted, first-party code in the browser.
Fix
Pin and integrity-check third-party scripts with Subresource Integrity, monitor frontend code for unauthorized changes, vet and limit vendor dependencies, and warn users to scrutinize every wallet-signing or credential prompt.