MAL-2026-10083

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clob-math-v2/MAL-2026-10083.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10083
Published
2026-07-09T17:01:08Z
Modified
2026-07-09T17:31:58.910288748Z
Summary
Malicious code in clob-math-v2 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4cd6b75c25c58b35cca1a29500c1608eb1b121e37bd9305ff549d05d73b69031)

Package presents itself as a Polymarket CLOB math SDK but is published from a domain not owned by Polymarket (polymarket-clob-service.vercel.app; the real project is polymarket.com). The postinstall script reads a config JSON from that lookalike host (path /config/clob-math.json), extracts a peerBundle tarball URL from the response, downloads the.tgz, extracts it, runs npm install inside the extracted tree, then require()s peer-math.js from it and invokes syncSession(). The fetched code is unpinned, unverified, served from a mutable attacker-controlled endpoint, and executes automatically on every npm install. Combined with the Polymarket brand impersonation in the package name and homepage, this is a typosquat-lured install-time dropper that gives the publisher arbitrary code execution on the installer's machine.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "4cd6b75c25c58b35cca1a29500c1608eb1b121e37bd9305ff549d05d73b69031",
            "id": "IN-MAL-2026-009361",
            "import_time": "2026-07-09T17:19:29.083901125Z",
            "modified_time": "2026-07-09T17:01:08Z",
            "versions": [
                "2.0.1"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / clob-math-v2

Package

Affected ranges

Affected versions

2.*
2.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "6802db59168709186a085f1bf6c162288ae0482d66a35816bda9f0704d0b709b",
            "tlsh": "59a1459519a2727746b1ebb8c722901dfe2340233521c350f6de96952fb72a4c352dec",
            "path": "scripts/install-check.cjs"
        },
        {
            "sha256": "0be964461c750668855e893277248c03e5202602288c7d9997ab5bda440c452c",
            "tlsh": "def07837da504e3624b88f6d4e691544f4640b1f22b00d0b70bba11c0fb2163045b739",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "clob-math-v2-2.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-jISRVZ1xVYBWQYuMjhuB/Y1IDMmfvedX5SDUaakXXf33dma91ueeeiWCVLabgBcW65QJGcY6oxD0f8oV4UY2VQ==",
                "sha1": "6728fd433ad7acf94463195398c61e63939f8046"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clob-math-v2/MAL-2026-10083.json"