MALICIOUS (1) campaign cataloged at 2026-05-01(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-05-oracle-lag-sniper

When using the package, it exfiltrates sensitive environmental variables (targeting Polymarket keys) to the target controlled via a Polymarket's user profile. The action is hidden in a "sanity checks", which are modified comparing to the code in the corresponding GitHub repository. Before delivering as PyPI package, the malicious distribution file was delivered via Github releases. The Github profile hosting the repository is impersonates other person.

Abuse categories

crypto-related

Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.

exfiltration_env_variables

Campaign uses exfiltration_env_variables.

impersonation

Campaign uses impersonation.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://github.com/JonathanPetersonn/oracle-lag-sniper/commit/1c9e1a59ccece47506d68c34cd98a5d7b4a7756c

• https://polymarket.com/profile/0x5194a5f5bceabdc955d1b2bd5ed150610316c1d7

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• api-gateway.nodehealth.workers.dev

• hxxps://api-gateway.nodehealth.workers.dev/api/v1/health

Packages in the campaign

campaign:2026-05-oracle-lag-sniper

• oracle-lag-sniper