npm

polymarket-kelly-stake-math @3.6.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10070

Ecosystem

npm

Summary

polymarket-kelly-stake-math@3.6.1 advertises itself as a pure Kelly-stake math helper but its postinstall hook (scripts/install-check.cjs, invoked from package.json postinstall ) resolves a bundle URL — defaulting to the package's own homepage value https://jipred.vercel.app/config/clob-math.json — downloads a.tgz to a temp directory, extracts it into a .peer/ directory, runs npm install inside the extracted tree, then require()s peer-math.js and awaits syncSession() . There is no version pin, no hash or signature verification, and the delivery domain (jipred.vercel.app) is unrelated to Polymarket or to the package publisher. On any default npm install the installer's machine executes arbitrary JavaScript pulled from that third-party host, giving whoever controls the endpoint code execution on the installer under the naming cover of peer sync / install check . Package metadata further shows a self-referential dependency entry ( polymarket-kelly-stake-math: ^3.6.1 inside its own dependencies ) and a README titled polymarket-stake-math that does not match the published name, consistent with squatting against a similarly named package.

Source: amazon-inspector (9798cce0effcbcf5ed3295f322a375bb1a3cbb7e9db4b7d88c802bf5116639e3)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.