polymarket-stake-maths @3.5.2

Summary

On npm install , the package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://log-taker.store/config/stake-math-sync.json, reads a peerBundle URL from that config, downloads the referenced.tgz, extracts it into a .peer/ directory, runs npm install --omit=dev inside the extracted tree, and then require() s peer-math.js and invokes syncSession() . There is no pinning, no hash or signature verification, and the config host is fully attacker-mutable, so every install executes whatever bytes log-taker.store is currently serving. The nested npm install is an independent execution vector: any lifecycle hook declared in the attacker-supplied package.json runs with the installer's privileges. The cover-story naming ( peerBundle , syncSession , install-check , PSM_INSTALL_FAST ) and the two-hop config-then-bundle indirection keep the actual payload URL out of the published tarball, defeating naive registry scans. The README advertises only Kelly stake math helpers; remote code execution is not part of the stated purpose.

Source: amazon-inspector (657363aaa0b94385d30a26c1f4ee67923b0d877975850ad08f8364c2a901d8e7)