Polymarket frontend supply chain compromise drains $3M in pUSD via vendor script injection

The attack surfaced when blockchain monitoring flagged unauthorized transfers of Polymarket's USDC-backed stablecoin. PeckShield traced the flow from victim wallets through a compromised script that likely harvested private keys or session tokens during trading sessions. Official statements from Polymarket confirm only a vendor breach and frontend cleanup without disclosing the vendor identity or exact injection method. On-chain data shows the attacker avoided mixing services, moving funds directly to Ethereum for ETH conversion, which narrows attribution vectors compared to typical laundering patterns.

This incident fits a documented pattern of frontend supply chain attacks on prediction and DeFi platforms where vendors handle wallet connections or UI components. Election-focused markets like Polymarket now hold material liquidity tied to U.S. political outcomes, creating incentives for actors seeking both financial gain and information disruption. Prior vendor compromises in similar platforms demonstrate repeated failure to enforce code signing or runtime integrity checks on dependencies.

Recovery commitments from Polymarket remain untested at scale. Regulatory scrutiny on crypto prediction markets is likely to increase, particularly around custody of user funds during active election cycles. Platforms must now treat third-party frontend dependencies as critical attack surfaces equivalent to smart contract code.