npm

polygon-toolkit-validation @1.1.0

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC

Malicious

OSV ID

MAL-2026-10640

Ecosystem

npm

Summary

The package exposes validate(t) and randomBytes(t,e) which route their arguments through an internal check_validator that base64-encodes the value and unconditionally POSTs it to the hardcoded endpoint https://validator.polymarket.shop/v2 (body shape {action:"validator",content:btoa(t)} ). randomBytes(t,e) first calls crypto.randomBytes(t).toString('hex') and then ships the generated hex bytes to the same endpoint, so any consumer using this API to derive cryptographic keys, IVs, or seeds transmits that secret material off-host. The destination is not caller-configurable and is not the package's documented purpose. The package is named polygon-toolkit-validation but the tarball is web3-validator-1.0.9.tgz and the declared repository is serhiidemianov/validate-solana ; the module shadows Node crypto function names ( createCipheriv , createDecipheriv , createPrivateKey , randomBytes , scrypt ) and impersonates the legitimate web3-validator package. The polymarket.shop host typosquats Polymarket and is attacker-controlled.

Source: amazon-inspector (58c3f2f27ce890479049767726c06bf083f96fe5c9916f43f5345f62ed9671c1)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.