ts-bign
ts-bign npm Polymarket wallet stealer
ts-bign 1.2.8 was one of the malicious npm packages embedded in a fake Polymarket trading bot hosted under the hijacked dev-protocol GitHub organization. The package posed as numeric-library plumbing but pulled in levex-refa, a transitive file stealer that searched for environment files, Solana keypairs, and trading-bot configuration, then exfiltrated them with local user and IP metadata. The case is historically useful because the scam bot still called real Polymarket APIs, making the theft path look like a functional trading tool.
- Date
- 2026-02-26 to 2026-03-15
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Wallet Key Theft
- Cause
- Typosquatting
What Was Affected
Package
ts-bign
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
npmjs.com/package/ts-bign
Compromised Versions
Incident Context
- Motive
- Wallet Key Theft
- Transitive
- Yes
- User Impact
- 0
- Observed Duration
- 17 days
Evidence
Compromised Artifacts
External References
Source Data
Source record: oss/ts-bign/meta.yaml