MAL-2026-6691

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-clob-maths/MAL-2026-6691.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6691
Published
2026-06-30T00:00:00Z
Modified
2026-06-30T21:01:39.334787366Z
Summary
Malicious code in polymarket-clob-maths (npm)
Details

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-clob-maths uses a dropper technique: a postinstall hook fetches a remote bundle from trabalhos-flax.vercel.app and executes a syncSession() function that runs a second-stage infostealer. The payload harvests cryptocurrency wallet vaults, browser credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates the data to the attacker-controlled C2.

Database specific
{
    "malicious-packages-origins": null
}
References
Credits

Affected packages

npm / polymarket-clob-maths

Package

Name
polymarket-clob-maths
View open source insights on deps.dev
Purl
pkg:npm/polymarket-clob-maths

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Database specific

iocs
{
    "domains": [
        "trabalhos-flax.vercel.app"
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-clob-maths/MAL-2026-6691.json"