neon-poly-utls @1.3.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-10089
Ecosystem
npm
Summary
The package's postinstall script reads a URL from package.json.homepage pointing to polymarket-clob-service.vercel.app/config/clob-math.json, fetches that JSON to resolve a peer-bundle URL, downloads a.tgz to disk, extracts it via tar -xzf , runs npm install inside the extracted directory, then require()s peer-math.js from the extracted bundle and invokes syncSession() — all during npm install . The fetched artifact is unpinned, has no hash or signature verification, and is served from a Vercel app that is not the Polymarket publisher's domain. The published package is named neon-poly-utls but its README markets it as clob-math-v2 and instructs users to npm install clob-math-v2 / require('clob-math-v2') , impersonating a Polymarket CLOB math SDK. Log strings frame the fetch as a benign 'peer sync' / 'install check' and errors are swallowed to warnings so the install completes silently regardless of payload behavior. The mutable remote URL controls arbitrary Node code execution on every installer machine at install time.
Source: amazon-inspector (0d32a00f9baf3245d9fb2850131a024274a409ca0eb90ac9db6e3e7dc37d379f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.