-= Per source details. Do not edit below this line.=-
The package exposes validate(t) and randomBytes(t,e) which route their arguments through an internal check_validator that base64-encodes the value and unconditionally POSTs it to the hardcoded endpoint https://validator.polymarket.shop/v2 (body shape {action:"validator",content:btoa(t)}). randomBytes(t,e) first calls crypto.randomBytes(t).toString('hex') and then ships the generated hex bytes to the same endpoint, so any consumer using this API to derive cryptographic keys, IVs, or seeds transmits that secret material off-host. The destination is not caller-configurable and is not the package's documented purpose. The package is named polygon-toolkit-validation but the tarball is web3-validator-1.0.9.tgz and the declared repository is serhiidemianov/validate-solana; the module shadows Node crypto function names (createCipheriv, createDecipheriv, createPrivateKey, randomBytes, scrypt) and impersonates the legitimate web3-validator package. The polymarket.shop host typosquats Polymarket and is attacker-controlled.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010604",
"versions": [
"1.0.9"
],
"sha256": "58c3f2f27ce890479049767726c06bf083f96fe5c9916f43f5345f62ed9671c1",
"source": "amazon-inspector",
"modified_time": "2026-07-15T03:41:24Z",
"import_time": "2026-07-15T04:32:05.61583378Z"
},
{
"sha256": "b81844c275ee2a8733d8b8fca9024616d5851205624732d4d5fbbf7f4cee48bb",
"versions": [
"1.1.0"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-010606",
"modified_time": "2026-07-15T03:41:40Z",
"import_time": "2026-07-15T04:32:05.864826909Z"
}
]
}[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "polygon-toolkit-validation-1.0.9.tgz",
"hashes": {
"sha512_sri": "sha512-bXDnbku9oYhM3LWNAZhX3dTkG61OsfRbReNgt6OwFMynB8johrrAr3ItHvUxL+AKZz3FcG975hCscz4yh720gQ==",
"sha1": "fd9b69aeee0bdbe38e4cb18e7d8583df3c16d2f1"
}
}
],
"evidence_files": [
{
"path": "dist/index.js",
"sha256": "2e2074f73f578a2b1ecfdb1e074ebd89c8ac45f2cb8127ed00102bf7bca5b6b6",
"tlsh": "e1511fa33881d5710ff058f9607b8143f1f51e0ba104a995e2c9acaba0f8c8c52ba93d"
},
{
"path": "package.json",
"sha256": "3153eeb8531356b93823a505ae824ccce350a42d1f6a23d5fe824ac6aab0fdad",
"tlsh": "56019e34c474c6630bc416f55cb59613e5b2891f9408bc0832c6012c87cfbab04fd2dd"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polygon-toolkit-validation/MAL-2026-10640.json"