MAL-2026-10068

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-kelly-math/MAL-2026-10068.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10068
Published
2026-07-09T15:48:13Z
Modified
2026-07-09T16:32:00.011710118Z
Summary
Malicious code in polymarket-kelly-math (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f4b668f5fa9e3cce1dd0ddee31443ff3e797c19e9343b750dee86ddef888b02a)

The package's postinstall script (scripts/install-check.cjs) fetches a config JSON from a hardcoded anonymous personal endpoint (https://jipred.vercel.app/config/clob-math.json), reads a.tgz bundle URL from that config, downloads and extracts the archive to a.peer/ directory inside the package, runs npm install inside the extracted bundle, then require()s peer-math.js and invokes syncSession(). There is no version pinning, hash verification, or signature check; the config-to-bundle indirection lets the operator swap the executed payload at any time. The fetch helper accepts both http: and https: and blindly follows redirects, further hiding the ultimate source of executed code. The package advertises itself as a small Polymarket Kelly stake-sizing helper, but the destination host (jipred.vercel.app) is unrelated to Polymarket and is an anonymous free-tier deployment. The package.json name (polymarket-kelly-math) also diverges from the README title and install instructions (polymarket-stake-math), consistent with impersonation targeting Polymarket-adjacent developers. Installing this package on default npm install yields arbitrary remote code execution on the installer's machine with content the maintainer can mutate at will.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.5.2"
            ],
            "sha256": "f4b668f5fa9e3cce1dd0ddee31443ff3e797c19e9343b750dee86ddef888b02a",
            "import_time": "2026-07-09T16:20:53.421803053Z",
            "modified_time": "2026-07-09T15:48:13Z",
            "id": "IN-MAL-2026-009237",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / polymarket-kelly-math

Package

Name
polymarket-kelly-math
View open source insights on deps.dev
Purl
pkg:npm/polymarket-kelly-math

Affected ranges

Affected versions

3.*
3.5.2

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "polymarket-kelly-math-3.5.2.tgz",
            "hashes": {
                "sha1": "523591b93f5a611631c5479e70702345766f1381",
                "sha512_sri": "sha512-A/KYAXjyX9/EyvFnWAECBaumocfUmCGLqR8PikilJ3vLqkd+r9xX0S2kGXPZr8h/OOo02tCcBhfB9ViZzJrQJg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "6ad1659915a272770bb0e7a4cb53a41eeb6394233511c364f6cdc6952ff6164c213dec",
            "sha256": "3e15f1692c4075cf29cefa94c84d564a95086ab7a6838a97ea25cd02475a282d",
            "path": "scripts/install-check.cjs"
        },
        {
            "tlsh": "f5f002089433d21db17607d31a7f07e41d21828c8755c60f347385e920108746609c3e",
            "sha256": "e0509aa25d0d374c40d29372375e708a573424b1230e125fc1a4c1116d40ea01",
            "path": "README.md"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-kelly-math/MAL-2026-10068.json"