The Polymarket Trojan: Verified GitHub Org Hijacked to Distribute Crypto-Stealing Bots
Ddos 
Image: The StepSecurity threat intelligence team
In a sophisticated supply chain attack discovered by the StepSecurity threat intelligence team, a legitimate Japanese DeFi projectβs GitHub organization, dev-protocol, was hijacked to distribute malicious Polymarket trading bots. By taking over an account with a “verified” badge and years of history, attackers have turned a trusted ecosystem into a primary delivery vector for credential-stealing malware.
The dev-protocol organization is not a “throwaway scam account”; it is a verified entity created in 2019 with over 560 followers. However, starting around February 26, 2026, the organization was flooded with over 20 variants of Polymarket scam repositories.
To the casual observer, these repos look legitimateβboasting hundreds of stars and polished READMEs. But as StepSecurity researchers noted:
“By hijacking a legitimate, verified organization with an established history, the attackers inherit years of credibility… This social engineering layer makes the scam far more effective than creating a fresh account“.
The attack relies on “typosquatted” npm packagesβmalicious libraries named similarly to popular onesβto infect victims in two distinct stages.
| Stage | Trigger | Malicious Package | Action Taken |
| Stage 1 | npm install |
lint-builder |
Executes a postinstall hook to open an SSH backdoor. |
| Stage 2 | Bot Startup | ts-bign & big-nunber |
Imports in the source code trigger a file stealer. |
The most insidious part? The bot actually works. While it connects to real Polymarket APIs and trades as advertised, it is silently exfiltrating private keys and sensitive files in the background.
Using their Harden-Runner monitoring tool, StepSecurity simulated a victim’s journey to capture the attack in real-time. They found that the package lint-builder performs a full system takeover:
- IP Fingerprinting: Records the victim’s public IP.
- SSH Hijacking: Takes ownership of the ~/.ssh directory.
- Firewall Manipulation: Enables the system firewall but explicitly opens Port 22 for inbound SSH access.
The stolen data is sent to C2 (Command and Control) endpoints like cloudflareguard.vercel.app, a domain “deliberately named to look like legitimate Cloudflare infrastructure” to evade detection by security teams.
If you have interacted with any repositories from the dev-protocol organization recently, StepSecurity advises immediate action:
- Rotate Keys: Assume any wallet private keys in your .env files are compromised and transfer funds to a new wallet immediately.
- Audit SSH: Check your ~/.ssh/authorized_keys for unauthorized entries.
- Revoke API Access: Revoke any API keys stored in configuration files.
The attackers are actively covering their tracks by deleting GitHub issues filed by victims who try to warn others. Stay vigilant: even a “Verified” badge is no substitute for auditing your dependencies.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
