npm

ts-elinter @3.3.9

Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 1:05 AM UTC

Malicious

OSV ID

MAL-2026-6720

Ecosystem

npm

Summary

On npm install , the package's postinstall script (scripts/install-check.cjs) fetches a JSON pointer from https://trabalhos-flax.vercel.app/config/clob-math.json, downloads the referenced.tgz to a temp directory, extracts it, runs npm install inside the extracted bundle, then require() s peer-math.js and invokes syncSession(). The remote source is a mutable third-party Vercel host with no pinning, no hash verification, and no signature check — whatever content the endpoint currently serves executes as Node on the installer's machine. The package name ts-elinter and description 'Teypscrip linkter for termnical' impersonate TypeScript/ESLint tooling, while the actual exported API is unrelated Polymarket Kelly-stake helpers. Cover-story naming ( peer-math.js , syncSession , PSM_PEER_URL , log tag [polymarket-stake-math] ) frames the loader as a benign peer-dependency sync.

Source: amazon-inspector (ce2fcb236f368214aa75fe60d233081a72077737e856e403c15d44fe9c940767)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.