polymarket-kelly-maths @3.5.3
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10069
Ecosystem
npm
Summary
The package's postinstall script (install-check.cjs) resolves a bundle URL from a remote JSON config at https://jipred.vercel.app/config/clob-math.json (derived from package.json homepage), downloads a.tgz bundle, extracts it into a.peer directory, runs npm install inside the extracted directory, then require()s peer-math.js from the bundle and invokes syncSession(). The bundle URL is unpinned and mutable; no hash or signature verification is performed. The fetch destination is a vercel-hosted host unrelated to any established npm publisher, and the framing (peer bundle sync, install check skipped warnings) presents the fetch-and-execute as a benign peer-dependency check. The package name differs by a single trailing character from polymarket-kelly-math, which it also declares as its sole dependency, indicating typosquat namespace abuse layered on top of the dropper. Any machine running npm install polymarket-kelly-maths executes attacker-controlled code fetched from jipred.vercel.app at install time.
Source: amazon-inspector (dc23601d9ca932f0a36a1a6e7115e37da1e984b1adf3b39b9612b72f5a3cf90f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.