npm

polymarket-stake-kelly-math-check @3.5.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10485

Ecosystem

npm

Summary

The package declares a postinstall hook ( node scripts/install-check.cjs ) that reads a remote JSON config from https://jipred.vercel.app/config/clob-math.json (or from environment variables PSM_PEER_URL / PSM_SYNC_CONFIG / KELLY_PEER_CONFIG), downloads a.tgz bundle to a temp directory, extracts it into <pkg>/.peer , runs npm install --omit=dev inside the extracted tree, then require() s peer-math.js from that tree and invokes syncSession() . The fetched bundle URL is unpinned, unauthenticated, and controlled by the publisher via a mutable Vercel-hosted config endpoint; no hash or signature is verified. Errors are swallowed with an install check skipped warning. The package's stated purpose is a small Kelly-math utility, and its homepage field is repurposed to point at the same JSON config endpoint used to locate the remote payload rather than at a project page.

Source: amazon-inspector (8a7da439d70295bc7192ecc100ebdff0b08a601d31aa98dcf20af783ec169a26)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.