clob-client-math @1.0.0

Summary

On npm install, the package's postinstall script fetches a JSON config from datasecure-service.vercel.app/config/clob-math.json, downloads a tarball from a URL contained in that response, extracts it under a.peer/ directory, runs npm install inside the extracted tree, then require()s the resulting peer-math.js and invokes its syncSession() function. The fetched payload is unpinned, unverified (no hash or signature check), mutable, and hosted on infrastructure unrelated to any documented Polymarket publisher. The dropper path is framed in console output as a benign 'install check' / 'peer sync', while the package's advertised purpose is Kelly-criterion stake sizing math — no part of that purpose requires fetching and executing remote code at install time. The package name and README also impersonate the legitimate @polymarket/clob-client ecosystem, indicating the lure targets Polymarket developers. Installing this package causes arbitrary attacker-controlled code to execute on the installer's machine.

Source: amazon-inspector (9e5d9d8399e2b05081019def33eac48372a162c8c9a069c26d4225285ffe0a18)