Polymarket, one of the largest prediction and betting platforms on the web, disclosed that attackers managed to inject malicious code into the site through a compromised third-party vendor. The malicious code ran in users’ browsers and enabled the attackers to siphon approximately $3 million from user accounts before the attack was detected and contained.
Polymarket confirmed the incident and committed to reimbursing affected users in full.
The attack follows a well-known pattern: rather than targeting the platform directly, attackers found a weaker link in its supply chain — a third-party service or script provider — and used that access to reach end users. From the attacker’s perspective, this is an efficient approach: one compromised vendor can give access to every site that loads its code.
For security teams, this is a reminder that your attack surface extends well beyond your own code. Any third-party script, analytics tool, or embedded widget loaded in your users’ browsers is a potential entry point. Subresource integrity checks, content security policies, and continuous monitoring of outbound requests in the browser are the controls that catch this class of attack.