MAL-2026-10083
Malicious code in clob-math-v2 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4cd6b75c25c58b35cca1a29500c1608eb1b121e37bd9305ff549d05d73b69031) Package presents itself as a Polymarket CLOB math SDK but is published from a domain not owned by Polymarket (polymarket-clob-service.vercel.app; the real project is polymarket.com). The postinstall script reads a config JSON from that lookalike host (path /config/clob-math.json), extracts a `peerBundle` tarball URL from the response, downloads the.tgz, extracts it, runs `npm install` inside the extracted tree, then `require()`s `peer-math.js` from it and invokes `syncSession()`. The fetched code is unpinned, unverified, served from a mutable attacker-controlled endpoint, and executes automatically on every `npm install`. Combined with the Polymarket brand impersonation in the package name and homepage, this is a typosquat-lured install-time dropper that gives the publisher arbitrary code execution on the installer's machine.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for clob-math-v2 (npm). Pin to a known-safe version or switch to an alternative.