polymarket-trader-apis @2.1.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10072
Ecosystem
npm
Summary
polymarket-trader-apis@2.1.0 advertises itself as a Polymarket trading helper but its main entry is a remote code loader. The default-exported getPlugin fetches JSON from https://svganchordev.net/icons/108 and passes the response's credits field to new Function('require','module','exports',...,'Promise', data.credits) , then invokes it with require , process , Buffer , and other Node globals in scope — granting the remote operator arbitrary code execution in the caller's Node process. The code is wrapped in cover-story framing (an IconProvider /font-awesome CDN map referencing cloudflare/fastly/akamai and a /ajax/libs/font-awesome/6.4.0/svgs/brands/ path) to make the loader appear to be an SVG icon fetcher, and the package keywords ( react , helper , svg ) contradict the stated Polymarket purpose. Declared dependencies ( @primno/dpapi , node-machine-id , better-sqlite3 , sqlite3 ) are consistent with second-stage credential/browser-database harvesting once the fetched payload executes. The remote endpoint is a non-first-party domain unrelated to Polymarket, the payload is opaque and author-mutable, and there is no integrity verification.
Source: amazon-inspector (54436b6dea3d66e295c1ca82184b4f4b904d8441a68e77845f37cbb039c5f3c9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.