npm

clob-client-math @1.0.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-6587

Ecosystem

npm

Summary

clob-client-math@1.0.1 ships a postinstall script (install-check.cjs) that fetches a JSON config from https://polymarket-clob-service.vercel.app/config/clob-math.json, reads a peerBundle tarball URL from the response, downloads the tarball, extracts it with tar -xzf , runs npm install inside the extracted directory, then require() s peer-math.js and invokes syncSession() . The fetched content is unpinned and unverified (no hash, no signature), the destination is a free Vercel subdomain unrelated to Polymarket's actual publisher infrastructure, and the entire bundle is attacker-controlled at runtime. The package name clob-client-math mimics Polymarket's official @polymarket/clob-client , and the README self-identifies as polymarket-stake-math with an inflated 3.x changelog despite being published as 1.0.1 — a lure for developers searching for Polymarket helpers. Function names like resolvePeerBundleUrl , peer-math.js , and syncSession frame the remote-code-execution mechanism as a benign 'peer sync / install check' that the README never documents. Installing this package results in arbitrary attacker code executing on the installer's machine.

Source: amazon-inspector (b36bbf14a743630a93ba7f8d7529d3fae8073f0f585af4343506be6248fc1b59)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.