GitHub malicious-dependency incident touching protocol deps

Polymarket's assessment for RD-F-160 — scored not_assessed on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

v1-deferred. Malicious npm packages ts-bign@1.2.8 and big-nunber@5.0.2 (Feb 2026 StepSecurity report) target trading bot developer environments, not Polymarket's Foundry-based Solidity contract dependencies. Polymarket's core contracts are Solidity/Foundry — not npm. The malicious packages impersonate big.js and bignumber.js. No confirmed GitHub Advisory against packages actually consumed by Polymarket contracts.

Sources #

URL
Malicious Polymarket Bot — typosquatted npm packagesStepSecurity — malicious npm packages in fake Polymarket bot reposretrieved 2026-04-29

Methodology #

Determine whether a security advisory flags a malicious release in a dependency consumed by this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol polymarket factor RD-F-160 score not_assessed collected_at 2026-04-29 16:25:39