MalwareUsed by 2 actors

lint-builder

lint-builder is a malicious npm package used in the Contagious Trader campaign, a large cryptocurrency-focused malware operation assessed with high confidence as linked to North Korea and overlapping with Lazarus-associated activity. It was observed as a typosquatted or malicious dependency in fake GitHub cryptocurrency trading bot repositories, including Polymarket-themed projects hosted from the hijacked dev-protocol GitHub organization. In the documented infection chain, big-nunber depended on lint-builder, and lint-builder executed automatically during npm install via a postinstall hook that ran node test.js. The malware then contacted attacker-controlled Vercel infrastructure, including cloudflareinsights.vercel.app, to retrieve scan and block patterns and to exfiltrate stolen data via /api/v1. Reported behavior includes fingerprinting victims by requesting their public IP from api.ipify.org, scanning for sensitive files such as .env and other credential-bearing files, exfiltrating collected data, taking ownership of the victim’s SSH directory, enabling ufw, and opening inbound SSH on port 22 to facilitate persistent access. StepSecurity observed exfiltration of .env data and SSH-related host modification in a monitored sandbox. The package was specifically identified as critical in repositories such as dev-protocol/polymarket-copytrading-bot-sport, where it was pulled in through big-nunber. The broader campaign targeted cryptocurrency users with fake trading bots themed around Polymarket, Kalshi, Solana, Raydium, and copy trading, and used Vercel-hosted infrastructure named to resemble legitimate Cloudflare services.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Lazarus

The following image shows a specific publish notification for npm user responsible for packages lint-builder (malware) and big-nunber (benign intermediary that depends on lint-builder ) leveraged in the Contagious Trader campaign.

via kmseckmsec.uk

Contagious Interview

via kmseckmsec.uk

MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1195Supply Chain CompromiseEvidence1

The StepSecurity threat intelligence team discovered that dev-protocol — a verified GitHub organization with 568 followers belonging to a legitimate Japanese DeFi project — has been hijacked and is now being used to distribute malicious Polymarket trading bots.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence1

The postinstall hook means node test.js runs automatically during npm install — the victim doesn't need to start the bot for this payload to execute.

Persistence

1 technique

T1546Event Triggered ExecutionEvidence1

lint-builder executes automatically via a postinstall hook... The postinstall hook means node test.js runs automatically during npm install

Privilege Escalation

1 technique

T1546Event Triggered ExecutionEvidence1

lint-builder executes automatically via a postinstall hook... The postinstall hook means node test.js runs automatically during npm install

Stealth

1 technique

T1036MasqueradingEvidence1

The malware uses two Vercel-hosted endpoints, both named to impersonate Cloudflare services: cloudflareguard.vercel.app ... cloudflareinsights.vercel.app ... The naming strategy is deliberate: both cloudflareguard and cloudflareinsights are plausible Cloudflare service names.

Discovery

2 techniques

T1016System Network Configuration DiscoveryEvidence1

Gets the victim's local IP by creating a UDP socket to 8.8.8.8:80 and reading the assigned address ... Fingerprint IP — GET api.ipify.org/?format=json — records victim's public IP address

T1580Cloud Infrastructure DiscoveryEvidence1

The repo's package.json includes two typosquatted npm packages that look like legitimate libraries but pull in obfuscated malware as transitive dependencies: Chain 1: ts-bign → levex-refa ... Chain 2: big-nunber → lint-builder

Lateral Movement

1 technique

T1021.004SSHEvidence1

Take SSH ownership — sudo chown -R runner:runner /home/runner/.ssh ... Open SSH port — sudo ufw allow 22/tcp ... Combined with the IP fingerprinting, this sets up the attacker for direct SSH access to the compromised machine.

Collection

1 technique

T1005Data from Local SystemEvidence1

Recursively searches the current working directory for sensitive files: .env and *.env ... id.json ... config.toml and Config.toml

Exfiltration

1 technique

T1567Exfiltration Over Web ServiceEvidence1

POSTs each file to the C2 as application/octet-stream ... C2 URL: https://cloudflareguard.vercel.app/api/v1 ... Exfiltrate data — POST cloudflareinsights.vercel.app/api/v1 — uploads stolen files to second C2 endpoint

Other

1 technique

T1562Impair DefensesEvidence1

Fetch blocklist — GET cloudflareinsights.vercel.app/api/block-patterns — downloads anti-detection config (what to avoid)

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app2 months ago

domain●●●●●●●●●●●●View more in app3 months ago

uri●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

kmsecNews

Mar 17, 2026

Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators | kmsec.uk

A malicious npm package used in the Contagious Trader campaign, distributed through intermediary dependency chains and associated with cloudflareinsights.vercel[.]app.

step security blogNews

Mar 15, 2026

Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys - StepSecurity

Malicious npm package that executes via postinstall, downloads C2 instructions, steals data, fingerprints the victim, and opens SSH access by modifying firewall settings and taking control of the SSH directory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.