VDB
KO

MAL-2026-10070

Malicious code in polymarket-kelly-stake-math (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9798cce0effcbcf5ed3295f322a375bb1a3cbb7e9db4b7d88c802bf5116639e3) polymarket-kelly-stake-math@3.6.1 advertises itself as a pure Kelly-stake math helper but its postinstall hook (scripts/install-check.cjs, invoked from package.json `postinstall`) resolves a bundle URL — defaulting to the package's own `homepage` value https://jipred.vercel.app/config/clob-math.json — downloads a.tgz to a temp directory, extracts it into a `.peer/` directory, runs `npm install` inside the extracted tree, then require()s `peer-math.js` and awaits `syncSession()`. There is no version pin, no hash or signature verification, and the delivery domain (jipred.vercel.app) is unrelated to Polymarket or to the package publisher. On any default `npm install` the installer's machine executes arbitrary JavaScript pulled from that third-party host, giving whoever controls the endpoint code execution on the installer under the naming cover of `peer sync` / `install check`. Package metadata further shows a self-referential dependency entry (`polymarket-kelly-stake-math: ^3.6.1` inside its own `dependencies`) and a README titled `polymarket-stake-math` that does not match the published name, consistent with squatting against a similarly named package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / polymarket-kelly-stake-math

No fixed version published yet for polymarket-kelly-stake-math (npm). Pin to a known-safe version or switch to an alternative.

References