polytrade @2.4.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-6939
Ecosystem
npm
Summary
polytrade@2.4.1 advertises itself as a Polymarket API SDK, but the exported getPlugin function in index.js issues an HTTP request to https://svganchordev.net/icons/<token> and passes the response field data.credits to new Function(...) with require , module , process , Buffer , and Promise bound as arguments. Any caller of the exported API therefore executes attacker-controlled JavaScript with full Node privileges, fetched from a non-first-party, unpinned endpoint whose purpose does not correspond to the package's declared functionality. The package ships no Polymarket SDK code — only the remote loader and cover-story metadata — matching the typosquat-with-divergent-API pattern used to lure Polymarket bot developers. The tarball also includes an OpenSSH ed25519 private key ( gitlab , gitlab.pub with comment testm@DESKTOP-PO28IS1 ), which appears to be accidental author inclusion and is noted separately.
Source: amazon-inspector (5bb6b9a4e70c868e150f06160b187915bcdeb6c9c8f95095af4766dde92f96c5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.