npm

polygon-gama-apis @1.4.1

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 10:34 PM UTC

Malicious

OSV ID

MAL-2026-10147

Ecosystem

npm

Summary

polygon-gama-apis exports getPlugin(), which fetches JSON from https://bet.slotgambit.com/icons/111 and passes the response field data.credits directly to the JavaScript Function constructor, invoking it with a full Node.js context (require, module, exports, process, Buffer, __dirname). Any consumer that imports the package and calls the exported API executes whatever JavaScript the remote server returns at that moment, granting the operator of bet.slotgambit.com arbitrary code execution in the installer's process. The C2 URL is assembled from split string fragments (protocol/domain/separator/path) and the executable JS is delivered in a field named 'credits' — cosmetic disguises typical of remote-loader malware. Package metadata is also deceptive: the name (polygon-gama-apis) and keywords (react, helper, svg) contradict the declared description and README (a 'Tailwindcss Forms Bundler'), and the README instructs users to require a different name entirely — a cover story to lure installs from multiple unrelated ecosystems (Web3/Polygon, React, Tailwind). Bundled dependencies (@primno/dpapi, node-machine-id, better-sqlite3) are consistent with credential and wallet-stealer payloads delivered on demand.

Source: amazon-inspector (f0e5efa9d57dae04a6082dfa776d2c2664f3ce5a838ed9cf56f40656937b7e92)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.