An unnamed third-party JavaScript vendor integrated into Polymarket was compromised, with malicious code injected to manipulate blockchain transaction approvals and drain approximately $3 million from users. The primary platform was not directly breached. This is a classic frontend supply chain attack applicable to any web application loading third-party scripts with access to financial, authentication, or privileged browser workflows.