VDB
KO

MAL-2026-10072

Malicious code in polymarket-trader-apis (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (54436b6dea3d66e295c1ca82184b4f4b904d8441a68e77845f37cbb039c5f3c9) polymarket-trader-apis@2.1.0 advertises itself as a Polymarket trading helper but its main entry is a remote code loader. The default-exported getPlugin fetches JSON from https://svganchordev.net/icons/108 and passes the response's `credits` field to `new Function('require','module','exports',...,'Promise', data.credits)`, then invokes it with `require`, `process`, `Buffer`, and other Node globals in scope — granting the remote operator arbitrary code execution in the caller's Node process. The code is wrapped in cover-story framing (an `IconProvider`/font-awesome CDN map referencing cloudflare/fastly/akamai and a `/ajax/libs/font-awesome/6.4.0/svgs/brands/` path) to make the loader appear to be an SVG icon fetcher, and the package keywords (`react`,`helper`,`svg`) contradict the stated Polymarket purpose. Declared dependencies (`@primno/dpapi`, `node-machine-id`, `better-sqlite3`, `sqlite3`) are consistent with second-stage credential/browser-database harvesting once the fetched payload executes. The remote endpoint is a non-first-party domain unrelated to Polymarket, the payload is opaque and author-mutable, and there is no integrity verification.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / polymarket-trader-apis

No fixed version published yet for polymarket-trader-apis (npm). Pin to a known-safe version or switch to an alternative.

References