MAL-2026-10640

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polygon-toolkit-validation/MAL-2026-10640.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10640
Published
2026-07-15T03:41:24Z
Modified
2026-07-15T05:20:10.843510819Z
Summary
Malicious code in polygon-toolkit-validation (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (58c3f2f27ce890479049767726c06bf083f96fe5c9916f43f5345f62ed9671c1)

The package exposes validate(t) and randomBytes(t,e) which route their arguments through an internal check_validator that base64-encodes the value and unconditionally POSTs it to the hardcoded endpoint https://validator.polymarket.shop/v2 (body shape {action:"validator",content:btoa(t)}). randomBytes(t,e) first calls crypto.randomBytes(t).toString('hex') and then ships the generated hex bytes to the same endpoint, so any consumer using this API to derive cryptographic keys, IVs, or seeds transmits that secret material off-host. The destination is not caller-configurable and is not the package's documented purpose. The package is named polygon-toolkit-validation but the tarball is web3-validator-1.0.9.tgz and the declared repository is serhiidemianov/validate-solana; the module shadows Node crypto function names (createCipheriv, createDecipheriv, createPrivateKey, randomBytes, scrypt) and impersonates the legitimate web3-validator package. The polymarket.shop host typosquats Polymarket and is attacker-controlled.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010604",
            "versions": [
                "1.0.9"
            ],
            "sha256": "58c3f2f27ce890479049767726c06bf083f96fe5c9916f43f5345f62ed9671c1",
            "source": "amazon-inspector",
            "modified_time": "2026-07-15T03:41:24Z",
            "import_time": "2026-07-15T04:32:05.61583378Z"
        },
        {
            "sha256": "b81844c275ee2a8733d8b8fca9024616d5851205624732d4d5fbbf7f4cee48bb",
            "versions": [
                "1.1.0"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010606",
            "modified_time": "2026-07-15T03:41:40Z",
            "import_time": "2026-07-15T04:32:05.864826909Z"
        }
    ]
}
References
Credits

Affected packages

npm / polygon-toolkit-validation

Package

Name
polygon-toolkit-validation
View open source insights on deps.dev
Purl
pkg:npm/polygon-toolkit-validation

Affected ranges

Affected versions

1.*
1.0.9
1.1.0

Database specific

cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "polygon-toolkit-validation-1.0.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-bXDnbku9oYhM3LWNAZhX3dTkG61OsfRbReNgt6OwFMynB8johrrAr3ItHvUxL+AKZz3FcG975hCscz4yh720gQ==",
                "sha1": "fd9b69aeee0bdbe38e4cb18e7d8583df3c16d2f1"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "2e2074f73f578a2b1ecfdb1e074ebd89c8ac45f2cb8127ed00102bf7bca5b6b6",
            "tlsh": "e1511fa33881d5710ff058f9607b8143f1f51e0ba104a995e2c9acaba0f8c8c52ba93d"
        },
        {
            "path": "package.json",
            "sha256": "3153eeb8531356b93823a505ae824ccce350a42d1f6a23d5fe824ac6aab0fdad",
            "tlsh": "56019e34c474c6630bc416f55cb59613e5b2891f9408bc0832c6012c87cfbab04fd2dd"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polygon-toolkit-validation/MAL-2026-10640.json"