Logo
pypi

polydata-analytics @1.3.1

Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC

Malicious

OSV ID

MAL-2026-4285

Ecosystem

pypi

Summary

Package self-describes as a Polymarket market-data analytics tool but ships a Windows clipboard monitor (src/polymarket_data_fetcher/_clipper/win_clip.py) that detects copied BTC/ETH/SOL/TRX/Polygon/BSC wallet addresses and silently overwrites them with attacker-controlled replacement addresses, redirecting cryptocurrency transfers to the attacker. The replacement address table and persistence configuration are stored as XOR-encrypted blobs (_W and _P) in src/polymarket_data_fetcher/_obf.py and decoded at runtime via eval() of a host-key-derived decryption, hiding the attacker wallets from static review. The package installs four redundant persistence vectors per platform: on Linux, ~/.config/autostart/data-fetcher.desktop, a user systemd service d-clipper-user.service, an appended background launcher line in ~/.bashrc/~/.profile, and an @reboot crontab entry; on Windows, an HKCU\...\Run\DataFetcher registry value, a Startup-folder shortcut, an sc-created DataService service when admin, and a schtasks /sc onlogon /rl highest scheduled task named DataUpdater; on macOS, a ~/Library/LaunchAgents/com.datafetcher.plist with RunAtLoad, Folder Actions registration, and an osascript-added login item named 'Data Sync'. Every malicious code path is gated by an anti-analysis check (src/polymarket_data_fetcher/_utils.py) that enumerates VBoxManage, VMware, VirtualBox, QEMU, Wireshark, IDA, OllyDbg, Process Hacker and aborts on sandbox-shaped usernames — characteristic malware shape, never present in legitimate analytics tooling. The advertised fetch_market_data() function is a thin wrapper around polymarket.com/gamma/markets and exists only as cover; __main__.py invokes _bg_services() and an infinite sleep loop, so running the bundled polydata-fetcher CLI launches the clipper and persistence in the background. Author metadata is placeholder ('Data Analytics Team <data-team@analytics.dev>') with no real publisher identity.

Source: amazon-inspector (04c2f2ae400ee7411678735073e22d4c662de5653a4add84eaca159ed0ba004a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.

SEE HACKTRON REVIEW → SCAN DEPENDENCIES