npm

polymarket-clob-maths @3.3.9

Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 1:05 AM UTC

Malicious

OSV ID

MAL-2026-6691

Ecosystem

npm

Summary

On npm install, the declared postinstall hook (node scripts/install-check.cjs) fetches a JSON config from https://trabalhos-flax.vercel.app/config/clob-math.json, parses a bundle URL from the response, downloads a tgz to a temp directory, extracts it, runs npm install inside the extracted directory, then require()s peer-math.js from that bundle and invokes syncSession(). The fetched archive is unpinned, has no integrity check (no hash, no signature), and is hosted on a third-party Vercel app unrelated to Polymarket. The attacker fully controls the executed code on each install, and can change it at any time without republishing the npm package. The package additionally impersonates the Polymarket / @polymarket CLOB ecosystem: the published name is polymarket-clob-maths while the README is titled polymarket-stake-math and instructs users to npm install polymarket-stake-math , indicating namespace confusion against the legitimate Polymarket tooling. Cover-story naming (PSM_PEER_URL, KELLY_PEER_CONFIG, log strings calling the operation an install check / peer sync ) and silenced errors ( console.warn('[polymarket-stake-math] install check skipped:', msg) ) hide the dropper behavior from a casual installer.

Source: amazon-inspector (9e5747b377bb17f8131b894ccdae41919423fb3c8a77d286084bcfaf9654e4ac)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.