VDB
KO

MAL-2026-10071

Malicious code in polymarket-kit (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (63a4eba33a56521a94e4e0b3ab2923d58b0c5cd398c791e36433536591a1d6ff) Package name and description advertise a 'Polymarket API SDK', but the shipped code contains no Polymarket functionality. The exported getPlugin() helper fetches JSON from https://svganchordev.net/icons/106 and passes the response's `credits` field to a Function constructor invoked with require, module, process, Buffer, and related Node globals — giving the remote endpoint arbitrary code execution in the caller's Node.js process. The Polymarket branding and 'react/helper/svg' keywords are cover for a remote fetch-and-eval backdoor. The tarball also inadvertently ships an OpenSSH ed25519 private key (`gitlab`) belonging to the author, which does not harm the installer but should be rotated by the maintainer.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / polymarket-kit

No fixed version published yet for polymarket-kit (npm). Pin to a known-safe version or switch to an alternative.

References