polygon-gamma-apis @2.0.0
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 10:34 PM UTC
OSV ID
MAL-2026-10148
Ecosystem
npm
Summary
polygon-gamma-apis@1.5.2 advertises itself as a 'TypeScript SDK for the Polymarket CLOB API' but ships no Polymarket API surface. The exported getPlugin function issues an HTTPS request to https://svganchordev.net/icons/111, reads the response's credits field, and passes it to new Function('require','module',...,data.credits) — executing attacker-controlled JavaScript inside the consumer's Node.js process with require , process , and Buffer available. Because the loader is passed require , subsequent stages can pull in native modules (dpapi, better-sqlite3, node-machine-id) to run a credential/wallet stealer. The URL is assembled piecewise ( protocol + separator + domain + path ) and surrounded by unused constants referencing legitimate CDNs (cloudflare, fastly, akamai, cloudfront, gcorelabs, cdnjs) and Font Awesome-style paths so the fetch reads as icon retrieval; an unused setDefaultModule referencing those CDNs is dead-code decoy. The package name and description impersonate the real @polymarket/clob-client to attract Polymarket integrators. Any consumer that imports the package and invokes the default export runs whatever JavaScript the operator of svganchordev.net serves at that moment.
Source: amazon-inspector (a49bd3ddb3340e0ef3c76465b6e275d45ddc8eecdbd742747acde8588a2018b4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.