The dev-protocol GitHub organization appears to have been compromised. Starting around late February 2026, attackers have created 20+ malicious Polymarket trading bot repositories under this organization that steal wallet private keys via typosquatted npm packages.

What is happening:

• Malicious repos like polymarket-copytrading-bot-sport contain typosquatted npm packages (ts-bign, big-nunber) that exfiltrate .env files, wallet keys, and open SSH backdoors
• Bot accounts are inflating star/fork counts to make the repos appear legitimate
• Warning issues filed by victims on the malicious repos are being actively deleted

Impact:

• Users who cloned and ran any of the Polymarket bot repos in this organization should assume their wallet private keys have been compromised
• The verified badge and 568 followers on this organization give the malicious repos false credibility

Full analysis: https://www.stepsecurity.io/blog/malicious-polymarket-bot-hides-in-hijacked-dev-protocol-github-org-and-steals-wallet-keys

We have reported this to GitHub and npm. If you are an original maintainer of the dev-protocol organization, please review your organization's member list and recently created repositories.

— StepSecurity Threat Intelligence (https://www.stepsecurity.io)