npm

clob-math-v2 @2.0.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-10083

Ecosystem

npm

Summary

Package presents itself as a Polymarket CLOB math SDK but is published from a domain not owned by Polymarket (polymarket-clob-service.vercel.app; the real project is polymarket.com). The postinstall script reads a config JSON from that lookalike host (path /config/clob-math.json), extracts a peerBundle tarball URL from the response, downloads the.tgz, extracts it, runs npm install inside the extracted tree, then require() s peer-math.js from it and invokes syncSession() . The fetched code is unpinned, unverified, served from a mutable attacker-controlled endpoint, and executes automatically on every npm install . Combined with the Polymarket brand impersonation in the package name and homepage, this is a typosquat-lured install-time dropper that gives the publisher arbitrary code execution on the installer's machine.

Source: amazon-inspector (4cd6b75c25c58b35cca1a29500c1608eb1b121e37bd9305ff549d05d73b69031)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.