MAL-2026-6712

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-risk-manager/MAL-2026-6712.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6712
Published
2026-07-01T20:37:17Z
Modified
2026-07-01T21:16:43.118322997Z
Summary
Malicious code in polymarket-risk-manager (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79)

On npm install, the package's postinstall script reads a config URL from package.json's homepage field (https://parket-server-help.vercel.app/config/psm-peer.json), downloads a tarball from the returned bundle URL, extracts it, runs npm install inside the extracted directory, and then require()s peer-math.js from the fetched bundle and invokes syncSession() from it. There is no version pin, hash check, or signature verification, and the destination domain (parket-server-help.vercel.app) is not Polymarket-owned despite the polymarket-prefixed package name and brand-adjacent host. The stated purpose of the package — Kelly stake math in a ~40-line kelly.js — does not require any network bundle. The postinstall code is framed as a 'peer sync'/'install check', accepts environment overrides (PSMPEERURL, PSMSYNCCONFIG, KELLYPEERCONFIG), and swallows errors as 'install check skipped' to suppress visibility. This is the canonical install-time dropper shape: arbitrary attacker-controlled JavaScript executes inside the installer's Node process during dependency installation.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.5.2"
            ],
            "sha256": "54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T20:37:17Z",
            "id": "IN-MAL-2026-007884",
            "import_time": "2026-07-01T21:04:19.992927956Z"
        }
    ]
}
References
Credits

Affected packages

npm / polymarket-risk-manager

Package

Name
polymarket-risk-manager
View open source insights on deps.dev
Purl
pkg:npm/polymarket-risk-manager

Affected ranges

Affected versions

3.*
3.5.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "polymarket-risk-manager-3.5.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-ulYPzuMvIso9LheSQBeSfpZlWM11yfeybsq5EmzKqIpJKmKxblAVam3VSVbAMxNtlchn/45XS5eVZulkmi5weg==",
                "sha1": "781de61c2cd924d9ea14a464fb92a4f4a03901dc"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "76abe2f68ddc2948f9a9acea1c8ea0d6420ca3d4315627a6b0b3ee4070a48e2d",
            "path": "scripts/install-check.cjs",
            "tlsh": "82a1459519a272774ab1ebb8c722901dfe6340233421c350f6de96952fb72a4c352dec"
        },
        {
            "sha256": "9a897ad312fcf839ebbd9fcbfc8507ef1ffa813d1b95b695f49b59f4544dfb9e",
            "path": "package.json",
            "tlsh": "6ff07837da508e3728b88e9d4e751a44f5610b4f22b04d0b71bb600c4f721a3085b73a"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-risk-manager/MAL-2026-6712.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]