-= Per source details. Do not edit below this line.=-
polymarket-math-stake-kelly@3.7.2 runs scripts/install-check.cjs as a postinstall hook. The script reads a config URL (defaulting to https://jipred.vercel.app/config/clob-math.json), downloads a.tgz bundle referenced by that config to a local.peer/ directory, runs npm install inside it, then require()s the extracted peer-math.js and invokes syncSession(). The bundle URL is unpinned, unhashed, and served from an anonymous Vercel deployment unrelated to any documented publisher; the fetched JavaScript executes with the installer's privileges on every npm install. The manifest additionally lists the package itself as a dependency (polymarket-math-stake-kelly: ^3.7.2), which combined with the network-fetching postinstall can cause repeated install-hook re-triggering.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T17:38:18Z",
"versions": [
"3.7.2"
],
"sha256": "408b5fd87b4b328671330e1ddb9333eb5d68d9a873f30237bd886a7632f038b5",
"id": "IN-MAL-2026-010275",
"source": "amazon-inspector",
"import_time": "2026-07-13T18:10:12.779196889Z"
}
]
}{
"evidence_files": [
{
"tlsh": "6ad1659915a272770bb0e7a4cb53a41eeb6394233511c364f6cdc6952ff6164c213dec",
"sha256": "3e15f1692c4075cf29cefa94c84d564a95086ab7a6838a97ea25cd02475a282d",
"path": "scripts/install-check.cjs"
},
{
"tlsh": "d701423bda608e3668b98f9d5e6a2644b4600b0ba2b04d0b70fba10c4f72173045ab79",
"sha256": "d3c6e162af751181e13108bead7edc2810c3b7f93cad2a792bccf102e1c3b825",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "1b0398a19b748f21c33d7e7defec2c537e230e44",
"sha512_sri": "sha512-6lOvsL7NvqGnw2axXcYN0QwWnpHX5sHCAaU1XEfQdsShaPIR7xuOIHaR8vwQLHPSkRWOMo+x8kues6xBntiRiQ=="
},
"filename": "polymarket-math-stake-kelly-3.7.2.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-math-stake-kelly/MAL-2026-10466.json"