big-nunber
big-nunber npm SSH backdoor installer
big-nunber 5.0.2 was embedded in the same fake Polymarket trading bot hosted under the hijacked dev-protocol GitHub organization. It typosquatted bignumber.js but depended on lint-builder, which ran during npm install and at runtime to fetch instructions, steal files, fingerprint the host, and set up SSH access by taking ownership of ~/.ssh and opening port 22. The package combined credential theft with remote-access preparation while the bot continued to appear operational.
- Date
- 2026-02-26 to 2026-03-15
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Remote access
- Cause
- Typosquatting
What Was Affected
Package
big-nunber
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
npmjs.com/package/big-nunber
Compromised Versions
Incident Context
- Motive
- Credential Theft/Remote Access
- Transitive
- Yes
- User Impact
- 0
- Observed Duration
- 17 days
Evidence
Compromised Artifacts
External References
Source Data
Source record: oss/big-nunber/meta.yaml