eslintcmd @0.2.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 10:52 AM UTC
OSV ID
MAL-2026-10670
Ecosystem
npm
Summary
The package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://slimopump.vercel.app/config/clob-math.json, downloads the.tgz referenced by that config, extracts it into a.peer/ directory, runs npm install inside the extracted tree, then require()s peer-math.js from the extracted bundle and invokes syncSession(). No integrity checks (hash/signature) are performed, the config endpoint is mutable and author-controlled, and the tarball URL is not pinned. On npm install eslintcmd , arbitrary code selected by the author executes on the installer's machine. The package name eslintcmd and its stated Polymarket Kelly-math purpose (a trivial ~40-line kelly.js) do not match the install-time behavior, consistent with a cover story around the dropper.
Source: amazon-inspector (2cf4500fbbfc85f42275772210ace6efb69c5f90d9d0a5edd7c0c75fa271f0c3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.