-= Per source details. Do not edit below this line.=-
The package is published as polymarket-clob-client, an unscoped lookalike of the legitimate @polymarket/clob-client maintained by Polymarket, but the shipped code is the third-party Hyperliquid SDK targeting a completely different exchange. package.json declares "description": "Hyperliquid API SDK for all major JS runtimes..." and the homepage points at github.com/nktkas/hyperliquid. The HTTP transport in script/transport/http/mod.js hardcodes https://api.hyperliquid.xyz as the default mainnet endpoint (exports.MAINNET_API_URL = "https://api.hyperliquid.xyz"). A developer who installs this package believing they are integrating with Polymarket's CLOB will instead be signing wallet messages and submitting trading orders to Hyperliquid. The structural signals — a clear name-squat of a well-known DeFi brand combined with code that silently routes wallet signatures and order intent to an unrelated venue — present concrete installer harm: misdirected funds and trading actions, regardless of whether the misnaming is intentional or negligent.
{
"malicious-packages-origins": [
{
"versions": [
"2.1.1"
],
"id": "IN-MAL-2026-003357",
"modified_time": "2026-05-20T01:22:00Z",
"import_time": "2026-05-26T05:50:29.269215944Z",
"sha256": "7e0a3a7bbeb25fb478d59cdd4b62ebb34c13e8e236505813660e81abf61e74ec",
"source": "amazon-inspector"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-clob-client/MAL-2026-4643.json"
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "polymarket-clob-client-2.1.1.tgz",
"hashes": {
"sha1": "686bb190279dd73143fa1fb423412f9b070e9cbe",
"sha512_sri": "sha512-kOa3I07Zt6/8LsRnIv4A6iwzi9ZPGUS5Bsa3O1rILgNxzzHxY6OtArvr5XnbGzMIDKTNBVRQopnljFvnsZ8VUw=="
}
}
],
"evidence_files": [
{
"path": "package.json",
"sha256": "2899259fdcf3e3d772eabbb38661a4394198d5bec4a58700319c3a1cd3da4c1e",
"tlsh": "19318851cdf09ca315c422a06c66da96f03688878d24bc1637de451c4f8c6ef05fe36d"
}
]
}