-= Per source details. Do not edit below this line.=-
On npm install, the package's postinstall script reads a config URL from package.json's homepage field (https://parket-server-help.vercel.app/config/psm-peer.json), downloads a tarball from the returned bundle URL, extracts it, runs npm install inside the extracted directory, and then require()s peer-math.js from the fetched bundle and invokes syncSession() from it. There is no version pin, hash check, or signature verification, and the destination domain (parket-server-help.vercel.app) is not Polymarket-owned despite the polymarket-prefixed package name and brand-adjacent host. The stated purpose of the package — Kelly stake math in a ~40-line kelly.js — does not require any network bundle. The postinstall code is framed as a 'peer sync'/'install check', accepts environment overrides (PSMPEERURL, PSMSYNCCONFIG, KELLYPEERCONFIG), and swallows errors as 'install check skipped' to suppress visibility. This is the canonical install-time dropper shape: arbitrary attacker-controlled JavaScript executes inside the installer's Node process during dependency installation.
{
"malicious-packages-origins": [
{
"versions": [
"3.5.2"
],
"sha256": "54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79",
"source": "amazon-inspector",
"modified_time": "2026-07-01T20:37:17Z",
"id": "IN-MAL-2026-007884",
"import_time": "2026-07-01T21:04:19.992927956Z"
}
]
}{
"package_integrity": [
{
"filename": "polymarket-risk-manager-3.5.2.tgz",
"hashes": {
"sha512_sri": "sha512-ulYPzuMvIso9LheSQBeSfpZlWM11yfeybsq5EmzKqIpJKmKxblAVam3VSVbAMxNtlchn/45XS5eVZulkmi5weg==",
"sha1": "781de61c2cd924d9ea14a464fb92a4f4a03901dc"
}
}
],
"evidence_files": [
{
"sha256": "76abe2f68ddc2948f9a9acea1c8ea0d6420ca3d4315627a6b0b3ee4070a48e2d",
"path": "scripts/install-check.cjs",
"tlsh": "82a1459519a272774ab1ebb8c722901dfe6340233421c350f6de96952fb72a4c352dec"
},
{
"sha256": "9a897ad312fcf839ebbd9fcbfc8507ef1ffa813d1b95b695f49b59f4544dfb9e",
"path": "package.json",
"tlsh": "6ff07837da508e3728b88e9d4e751a44f5610b4f22b04d0b71bb600c4f721a3085b73a"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-risk-manager/MAL-2026-6712.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]