npm

polymarket-trading-developer-tool @0.1.2

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-6714

Ecosystem

npm

Summary

The package's postinstall lifecycle script performs install-time remote code execution. It reads a bundle URL from a JSON config hosted at pm-trading-dev-tools-be.vercel.app/config/clob-math.json (the package's declared homepage), downloads the referenced.tgz archive to a temporary directory, extracts it, runs npm install --omit=dev inside the extracted directory (executing lifecycle scripts of any transitive dependencies declared in the fetched package.json), then require()s peer-math.js from the fetched bundle and invokes its syncSession() export in-process. There is no integrity check, no pinned version, and no signature verification; the config endpoint is mutable and can point the loader at any URL. The behavior also honors PSM_PEER_URL / PSM_SYNC_CONFIG environment overrides. The shipped library code (kelly.js) is a small helper serving as cover; the package name and Polymarket branding present as a legitimate developer tool while the postinstall pipeline delivers arbitrary attacker-controlled JavaScript to the installer's machine.

Source: amazon-inspector (30ffc35841039a7a95d8b5590db211f34b662975513f3a054b8be282f0858c99)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.