Panther analyzed [email protected], an npm package attributed in the excerpt to DPRK/Famous Chollima activity and built to target developers running automated Polymarket trading bots. The package masqueraded as a logging utility and executed at require() time, collecting host details, sweeping files, installing an SSH backdoor on Linux, and stealing Polymarket-specific credentials. Its targeted theft looked for project .env data and SDK-related files such as env.ts, config.ts, createClobClient.ts, and clob.ts, which can expose CLOB API credentials and L1 wallet private keys used to trade or control USDC balances. Exfiltration used api.mywalletsss[.]store endpoints for system information, filesystem batches, and project environment data, while the Linux persistence mechanism wrote an attacker-controlled ed25519 key into ~/.ssh/authorized_keys. The SDK-specific file targeting and persistence make removal alone insufficient, requiring affected developers to inspect authorized_keys and rotate Polymarket, wallet, and project credentials.