npm

polymarket-stake-kelly-math @3.8.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10467

Ecosystem

npm

Summary

polymarket-stake-kelly-math@3.8.2 ships a postinstall script (scripts/install-check.cjs referenced by package.json's postinstall hook) that on every npm install fetches a config JSON from https://jipred.vercel.app/config/clob-math.json, downloads a.tgz bundle referenced by that config to a.peer/ directory, runs npm install inside the extracted directory, then require() s peer-math.js and calls syncSession(). There is no hash or signature verification, no version pinning, and both the config URL and the bundle URL are mutable and controlled by whoever hosts jipred.vercel.app. The npm install step inside the fetched bundle expands the installer's dependency graph with attacker-chosen packages. package.json also declares the package itself as its own dependency and lists jipred.vercel.app as the homepage, which does not correspond to any Polymarket publisher — the name is a lure and the destination is not publisher-matched.

Source: amazon-inspector (01715ebd11c8adf6ac26ce11bc5fc07e6cfb6775fa77dbe1ca022d0d6593b99c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.