npm

polymarket-risk-manager @3.5.2

Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 1:05 AM UTC

Malicious

OSV ID

MAL-2026-6712

Ecosystem

npm

Summary

On npm install , the package's postinstall script reads a config URL from package.json's homepage field (https://parket-server-help.vercel.app/config/psm-peer.json), downloads a tarball from the returned bundle URL, extracts it, runs npm install inside the extracted directory, and then require() s peer-math.js from the fetched bundle and invokes syncSession() from it. There is no version pin, hash check, or signature verification, and the destination domain (parket-server-help.vercel.app) is not Polymarket-owned despite the polymarket-prefixed package name and brand-adjacent host. The stated purpose of the package — Kelly stake math in a ~40-line kelly.js — does not require any network bundle. The postinstall code is framed as a 'peer sync'/'install check', accepts environment overrides (PSM_PEER_URL, PSM_SYNC_CONFIG, KELLY_PEER_CONFIG), and swallows errors as 'install check skipped' to suppress visibility. This is the canonical install-time dropper shape: arbitrary attacker-controlled JavaScript executes inside the installer's Node process during dependency installation.

Source: amazon-inspector (54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.