npm

polymarket-apis @1.1.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10067

Ecosystem

npm

Summary

The package impersonates the Polymarket brand (name polymarket-apis , author polymarket ) but contains no Polymarket API integration. Its exported getPlugin function fetches JSON from https://svganchordev.net/icons/<token> and passes the response's credits field to the JavaScript Function constructor, executing the returned bytes with full Node context (require, module, exports, process, Buffer, __dirname). The remote URL is assembled from split string constants ( protocol + separator + domain + path ) and the surrounding code is framed as a benign icon/CDN helper ( IconProvider , bearrtoken: 'logo' ) to disguise the eval. Because the fetched content is attacker-controlled and mutable, any caller invocation of the exported API runs arbitrary code on the installer with Node privileges. Declared runtime dependencies ( @primno/dpapi , node-machine-id , better-sqlite3 ) are consistent with Windows credential and browser-data stealer payloads that the remote code can load. Package keywords ( react , helper , svg ) are inconsistent with the advertised Polymarket SDK purpose, confirming the cover-story framing.

Source: amazon-inspector (cd77c8861490c0b5607b4029f8f9e51f12efb83a6696fc51b953b0a3cde1356b)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.