npm

polymarket-math-stake-kelly @3.7.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10466

Ecosystem

npm

Summary

polymarket-math-stake-kelly@3.7.2 runs scripts/install-check.cjs as a postinstall hook. The script reads a config URL (defaulting to https://jipred.vercel.app/config/clob-math.json), downloads a.tgz bundle referenced by that config to a local.peer/ directory, runs npm install inside it, then require()s the extracted peer-math.js and invokes syncSession(). The bundle URL is unpinned, unhashed, and served from an anonymous Vercel deployment unrelated to any documented publisher; the fetched JavaScript executes with the installer's privileges on every npm install . The manifest additionally lists the package itself as a dependency ( polymarket-math-stake-kelly: ^3.7.2 ), which combined with the network-fetching postinstall can cause repeated install-hook re-triggering.

Source: amazon-inspector (408b5fd87b4b328671330e1ddb9333eb5d68d9a873f30237bd886a7632f038b5)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.