MAL-2026-10466

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-math-stake-kelly/MAL-2026-10466.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10466
Published
2026-07-13T17:38:18Z
Modified
2026-07-13T18:16:56.398679377Z
Summary
Malicious code in polymarket-math-stake-kelly (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (408b5fd87b4b328671330e1ddb9333eb5d68d9a873f30237bd886a7632f038b5)

polymarket-math-stake-kelly@3.7.2 runs scripts/install-check.cjs as a postinstall hook. The script reads a config URL (defaulting to https://jipred.vercel.app/config/clob-math.json), downloads a.tgz bundle referenced by that config to a local.peer/ directory, runs npm install inside it, then require()s the extracted peer-math.js and invokes syncSession(). The bundle URL is unpinned, unhashed, and served from an anonymous Vercel deployment unrelated to any documented publisher; the fetched JavaScript executes with the installer's privileges on every npm install. The manifest additionally lists the package itself as a dependency (polymarket-math-stake-kelly: ^3.7.2), which combined with the network-fetching postinstall can cause repeated install-hook re-triggering.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T17:38:18Z",
            "versions": [
                "3.7.2"
            ],
            "sha256": "408b5fd87b4b328671330e1ddb9333eb5d68d9a873f30237bd886a7632f038b5",
            "id": "IN-MAL-2026-010275",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T18:10:12.779196889Z"
        }
    ]
}
References
Credits

Affected packages

npm / polymarket-math-stake-kelly

Package

Name
polymarket-math-stake-kelly
View open source insights on deps.dev
Purl
pkg:npm/polymarket-math-stake-kelly

Affected ranges

Affected versions

3.*
3.7.2

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "6ad1659915a272770bb0e7a4cb53a41eeb6394233511c364f6cdc6952ff6164c213dec",
            "sha256": "3e15f1692c4075cf29cefa94c84d564a95086ab7a6838a97ea25cd02475a282d",
            "path": "scripts/install-check.cjs"
        },
        {
            "tlsh": "d701423bda608e3668b98f9d5e6a2644b4600b0ba2b04d0b70fba10c4f72173045ab79",
            "sha256": "d3c6e162af751181e13108bead7edc2810c3b7f93cad2a792bccf102e1c3b825",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "1b0398a19b748f21c33d7e7defec2c537e230e44",
                "sha512_sri": "sha512-6lOvsL7NvqGnw2axXcYN0QwWnpHX5sHCAaU1XEfQdsShaPIR7xuOIHaR8vwQLHPSkRWOMo+x8kues6xBntiRiQ=="
            },
            "filename": "polymarket-math-stake-kelly-3.7.2.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-math-stake-kelly/MAL-2026-10466.json"