MAL-2026-10069
Malicious code in polymarket-kelly-maths (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (dc23601d9ca932f0a36a1a6e7115e37da1e984b1adf3b39b9612b72f5a3cf90f) The package's postinstall script (install-check.cjs) resolves a bundle URL from a remote JSON config at https://jipred.vercel.app/config/clob-math.json (derived from package.json homepage), downloads a.tgz bundle, extracts it into a.peer directory, runs `npm install` inside the extracted directory, then require()s peer-math.js from the bundle and invokes syncSession(). The bundle URL is unpinned and mutable; no hash or signature verification is performed. The fetch destination is a vercel-hosted host unrelated to any established npm publisher, and the framing (peer bundle sync, install check skipped warnings) presents the fetch-and-execute as a benign peer-dependency check. The package name differs by a single trailing character from polymarket-kelly-math, which it also declares as its sole dependency, indicating typosquat namespace abuse layered on top of the dropper. Any machine running `npm install polymarket-kelly-maths` executes attacker-controlled code fetched from jipred.vercel.app at install time.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for polymarket-kelly-maths (npm). Pin to a known-safe version or switch to an alternative.