-= Per source details. Do not edit below this line.=-
The package's postinstall script (scripts/install-check.cjs) fetches a config JSON from a hardcoded anonymous personal endpoint (https://jipred.vercel.app/config/clob-math.json), reads a.tgz bundle URL from that config, downloads and extracts the archive to a.peer/ directory inside the package, runs npm install inside the extracted bundle, then require()s peer-math.js and invokes syncSession(). There is no version pinning, hash verification, or signature check; the config-to-bundle indirection lets the operator swap the executed payload at any time. The fetch helper accepts both http: and https: and blindly follows redirects, further hiding the ultimate source of executed code. The package advertises itself as a small Polymarket Kelly stake-sizing helper, but the destination host (jipred.vercel.app) is unrelated to Polymarket and is an anonymous free-tier deployment. The package.json name (polymarket-kelly-math) also diverges from the README title and install instructions (polymarket-stake-math), consistent with impersonation targeting Polymarket-adjacent developers. Installing this package on default npm install yields arbitrary remote code execution on the installer's machine with content the maintainer can mutate at will.
{
"malicious-packages-origins": [
{
"versions": [
"3.5.2"
],
"sha256": "f4b668f5fa9e3cce1dd0ddee31443ff3e797c19e9343b750dee86ddef888b02a",
"import_time": "2026-07-09T16:20:53.421803053Z",
"modified_time": "2026-07-09T15:48:13Z",
"id": "IN-MAL-2026-009237",
"source": "amazon-inspector"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "polymarket-kelly-math-3.5.2.tgz",
"hashes": {
"sha1": "523591b93f5a611631c5479e70702345766f1381",
"sha512_sri": "sha512-A/KYAXjyX9/EyvFnWAECBaumocfUmCGLqR8PikilJ3vLqkd+r9xX0S2kGXPZr8h/OOo02tCcBhfB9ViZzJrQJg=="
}
}
],
"evidence_files": [
{
"tlsh": "6ad1659915a272770bb0e7a4cb53a41eeb6394233511c364f6cdc6952ff6164c213dec",
"sha256": "3e15f1692c4075cf29cefa94c84d564a95086ab7a6838a97ea25cd02475a282d",
"path": "scripts/install-check.cjs"
},
{
"tlsh": "f5f002089433d21db17607d31a7f07e41d21828c8755c60f347385e920108746609c3e",
"sha256": "e0509aa25d0d374c40d29372375e708a573424b1230e125fc1a4c1116d40ea01",
"path": "README.md"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-kelly-math/MAL-2026-10068.json"