Prediction market platform Polymarket disclosed that attackers compromised a third-party vendor and used that access to plant malicious code on its website. According to reports circulating online, the injected code allowed the attackers to steal approximately $3 million from user accounts. Polymarket has stated it will reimburse affected users for the full amount.
This is a client-side supply chain attack: rather than breaching Polymarket’s own infrastructure directly, attackers went through a vendor whose code runs in the browser alongside the platform’s own scripts — the same pattern seen in prior incidents involving compromised analytics tags, chat widgets, and payment-adjacent JavaScript libraries. Once malicious code executes in that context, it can intercept form submissions, manipulate transaction data, or redirect funds without triggering server-side alarms, since the traffic often still looks legitimate from the backend’s point of view.
These incidents are difficult to catch with traditional server-side logging alone, because the compromise happens in the user’s browser, not in your infrastructure. Detecting them requires monitoring third-party script behavior — subresource integrity checks, content security policy enforcement, and alerting on unexpected outbound connections from client-side code.
For any organization embedding third-party scripts on pages that handle authentication, payments, or sensitive transactions, this is a reminder to inventory every external script your site loads, restrict what they’re allowed to do via CSP, and treat vendor code changes as a security-relevant event worth monitoring — not just a marketing or product update.