fintech · BleepingComputer
Polymarket, a cryptocurrency prediction market platform, experienced a supply-chain attack in which malicious JavaScript was injected into its frontend through a compromised third-party vendor dependency. The injected code tricked users into approving fraudulent transactions on the official website. According to blockchain intelligence firm PeckShield, approximately $3 million in ParionUSD was stolen from fewer than 15 affected accounts, with the stolen funds later swapped for approximately 1,893 Ether and moved across blockchains. Polymarket's own servers and backend infrastructure were not compromised. The company announced it will fully reimburse affected customers.
This incident underscores a critical supply-chain risk for SaaS platforms and fintech providers subject to SOC2 Type II audits: third-party vendor dependencies and frontend code injection represent a material control gap. Fintech services handling sensitive transactions should evaluate whether their vendor management and dependency monitoring processes detect unauthorized code modifications in real time. Defense contractors and regulated organizations processing CUI or payment data should apply similar scrutiny to frontend vendors and build supplier security assessments into their CMMC or SOC2 evidence. An Omniware engagement can scope third-party risk controls and frontend security monitoring in detail.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/
Source: BleepingComputer
All briefings