polymarket-kelly-stake-math @3.6.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10070
Ecosystem
npm
Summary
polymarket-kelly-stake-math@3.6.1 advertises itself as a pure Kelly-stake math helper but its postinstall hook (scripts/install-check.cjs, invoked from package.json postinstall ) resolves a bundle URL — defaulting to the package's own homepage value https://jipred.vercel.app/config/clob-math.json — downloads a.tgz to a temp directory, extracts it into a .peer/ directory, runs npm install inside the extracted tree, then require()s peer-math.js and awaits syncSession() . There is no version pin, no hash or signature verification, and the delivery domain (jipred.vercel.app) is unrelated to Polymarket or to the package publisher. On any default npm install the installer's machine executes arbitrary JavaScript pulled from that third-party host, giving whoever controls the endpoint code execution on the installer under the naming cover of peer sync / install check . Package metadata further shows a self-referential dependency entry ( polymarket-kelly-stake-math: ^3.6.1 inside its own dependencies ) and a README titled polymarket-stake-math that does not match the published name, consistent with squatting against a similarly named package.
Source: amazon-inspector (9798cce0effcbcf5ed3295f322a375bb1a3cbb7e9db4b7d88c802bf5116639e3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.