MALICIOUS (1) campaign cataloged at 2026-05-01(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-05-py-clob-clients

Package exfiltrates env variables from .env files. It's a typosquatting of a legitimate package and is used in a malicious GitHub repository

Abuse categories

action-hidden-in-lib-usage

The malicious action is hidden in the code and starts when user interacts with it (e.g. during class initialization or by exfiltrating given credentials).

crypto-related

Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.

exfiltration_env_variables

Campaign uses exfiltration_env_variables.

through_dependency

The malicious code is intentionally included in a dependency of the package

typosquatting

The package name is an typosquatting variant of a popular package.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://github.com/rustyneuron01/Polymarket-Sports-Trading-Bot/blob/8f68304257d2064ddd4e308e16083267e8fe3826/config.py#L9

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxp://135.181.211.196:8787/

• 135.181.211.196

Packages in the campaign

campaign:2026-05-py-clob-clients

• py-clob-clients