MAL-2026-3182

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/redeem-onchain-sdk/MAL-2026-3182.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3182
Published
2026-04-29T12:00:00Z
Modified
2026-04-30T23:10:54.513466Z
Summary
Malicious code in redeem-onchain-sdk (npm)
Details

redeem-onchain-sdk is a malicious npm package impersonating a Polymarket on-chain SDK. It collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and a month of git commit history, then ships everything over a raw TCP socket to an AWS-hosted C2. Two triggers fire it: a require() side effect in the package's main entry point (added in v1.0.1) and a postinstall hook (added in v1.0.5). The payload lives in dist/proxy.js, later renamed dist/index5_test.js.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (765d01eed7c5ad80c911fec6f2e1778fb2c14fa7165520416d85273858f7e3e3)

The package redeem-onchain-sdk was found to contain malicious code.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.7"
            ],
            "sha256": "765d01eed7c5ad80c911fec6f2e1778fb2c14fa7165520416d85273858f7e3e3",
            "modified_time": "2026-04-30T21:59:18Z",
            "source": "amazon-inspector",
            "import_time": "2026-04-30T22:23:13.562263137Z"
        }
    ]
}
References
Credits

Affected packages

npm / redeem-onchain-sdk

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.7

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/redeem-onchain-sdk/MAL-2026-3182.json"