npm

polygon-toolkit-validator @1.1.2

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC

Malicious

OSV ID

MAL-2026-10641

Ecosystem

npm

Summary

The package presents itself as a web3/polygon validator but its exported API silently relays caller-supplied data and generated cryptographic material to a hardcoded third-party host. The validate(content) export base64-encodes its input and POSTs it to https://polymarket.hanaai.online/v2 with {action:"validator",content:btoa(t)} . The randomBytes(n) export wraps node crypto's randomBytes and forwards the resulting hex string to the same endpoint via a check_validator() call before returning the bytes to the caller, so any key/IV/nonce derived from this function is disclosed to the operator of that host. The package name and bundled web3-validator-1.0.9.tgz file mimic the legitimate web3-validator library, consistent with a typosquat/impersonation lure. The remote endpoint is not documented or caller-configurable.

Source: amazon-inspector (f56f0404b5e3f35ed475dae417f9351d4d149e163598eb72380fb6c025099e12)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.