Polymarket customers lose $3 million in supply-chain attack
Polymarket customers lost approximately $3 million after attackers injected malicious scripts into the platform's frontend following a breach at a third-party vendor. Polymarket announced it will fully reimburse affected customers.
- Disclosed
- Last updated
- Blast radius
- Polymarket platform users; estimated $3 million in customer losses
- Ecosystems
- Attack vectors
- Affected entities
- PolymarketFrontend compromised via third-party vendor breach
Polymarket, a prediction market platform, suffered a supply chain attack in which malicious scripts were injected into its frontend. The attack was enabled by a breach at a third-party vendor that Polymarket relied upon, rather than a direct compromise of Polymarket's own systems.\n\nThe attack resulted in approximately $3 million in losses for Polymarket customers. The company responded by committing to fully reimburse all affected users for their losses.\n\nThis incident exemplifies third-party vendor risk in SaaS platforms, where dependencies on external vendors can create attack surface even when the primary service provider's security is sound.
Remediation
- Audit and strengthen third-party vendor security requirements and monitoring
- Implement Content Security Policy (CSP) headers to restrict script injection
- Deploy frontend integrity monitoring to detect unauthorized script injection
- Conduct forensic analysis to identify the compromised vendor and scope of breach
- Review and enhance vendor risk management and supply chain security practices
Sources
- Polymarket customers lose $3 million in supply-chain attack · BleepingComputer
Cite this entry
"Polymarket customers lose $3 million in supply-chain attack." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 26, 2026; last updated June 29, 2026. https://supplychainattack.org/incident/polymarket-customers-lose-3-million-in-supply-chain-attack-ldljc5
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedhigh
LastPass confirms data breach in Klue supply chain attack
LastPass confirmed that hackers accessed customer data from its Salesforce environment by stealing the company's OAuth tokens during the Klue supply chain attack. The breach exposed customer information through a third-party vendor compromise.
OtherThird-party vendor breach - activehigh
Context.ai OAuth Token Compromise
Context.ai OAuth tokens were compromised, allowing attackers to conduct supply chain attacks through trusted SaaS integrations. Details on scope, timeline, and remediation steps are not provided in the source text.
OtherAccount takeoverThird-party vendor breach - activecritical
Mass npm Supply Chain Attack: 20 Leo Platform Packages Compromised
On June 24, 2026, an attacker published malicious versions of 20 npm packages belonging to the Leo Platform ecosystem in a coordinated attack. All packages contained an identical CI/CD attack toolkit designed to steal secrets from GitHub Actions runners, cloud credential stores, package registries, and password managers, then exfiltrate them via the victim's GitHub token.
npmOtherCompromised package - activecritical
15 Malicious JetBrains Plugins Stole AI API Keys from 70,000 Developers
A coordinated 8-month supply chain attack compromised 15 malicious JetBrains plugins on the official JetBrains Marketplace, stealing AI API keys from approximately 70,000 developers. The credential-stealing code exfiltrated OpenAI, DeepSeek, and SiliconFlow API keys to an attacker-controlled server in Beijing, which remained operational at the time of disclosure.
OtherCompromised packageMalicious maintainer