MAL-2026-4643

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-clob-client/MAL-2026-4643.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4643
Published
2026-05-20T01:22:00Z
Modified
2026-05-26T06:02:47.644718190Z
Summary
Malicious code in polymarket-clob-client (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7e0a3a7bbeb25fb478d59cdd4b62ebb34c13e8e236505813660e81abf61e74ec)

The package is published as polymarket-clob-client, an unscoped lookalike of the legitimate @polymarket/clob-client maintained by Polymarket, but the shipped code is the third-party Hyperliquid SDK targeting a completely different exchange. package.json declares "description": "Hyperliquid API SDK for all major JS runtimes..." and the homepage points at github.com/nktkas/hyperliquid. The HTTP transport in script/transport/http/mod.js hardcodes https://api.hyperliquid.xyz as the default mainnet endpoint (exports.MAINNET_API_URL = "https://api.hyperliquid.xyz"). A developer who installs this package believing they are integrating with Polymarket's CLOB will instead be signing wallet messages and submitting trading orders to Hyperliquid. The structural signals — a clear name-squat of a well-known DeFi brand combined with code that silently routes wallet signatures and order intent to an unrelated venue — present concrete installer harm: misdirected funds and trading actions, regardless of whether the misnaming is intentional or negligent.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.1.1"
            ],
            "id": "IN-MAL-2026-003357",
            "modified_time": "2026-05-20T01:22:00Z",
            "import_time": "2026-05-26T05:50:29.269215944Z",
            "sha256": "7e0a3a7bbeb25fb478d59cdd4b62ebb34c13e8e236505813660e81abf61e74ec",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / polymarket-clob-client

Package

Name
polymarket-clob-client
View open source insights on deps.dev
Purl
pkg:npm/polymarket-clob-client

Affected ranges

Affected versions

2.*
2.1.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-clob-client/MAL-2026-4643.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "polymarket-clob-client-2.1.1.tgz",
            "hashes": {
                "sha1": "686bb190279dd73143fa1fb423412f9b070e9cbe",
                "sha512_sri": "sha512-kOa3I07Zt6/8LsRnIv4A6iwzi9ZPGUS5Bsa3O1rILgNxzzHxY6OtArvr5XnbGzMIDKTNBVRQopnljFvnsZ8VUw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "2899259fdcf3e3d772eabbb38661a4394198d5bec4a58700319c3a1cd3da4c1e",
            "tlsh": "19318851cdf09ca315c422a06c66da96f03688878d24bc1637de451c4f8c6ef05fe36d"
        }
    ]
}