MAL-2026-10466
Malicious code in polymarket-math-stake-kelly (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (408b5fd87b4b328671330e1ddb9333eb5d68d9a873f30237bd886a7632f038b5) polymarket-math-stake-kelly@3.7.2 runs scripts/install-check.cjs as a postinstall hook. The script reads a config URL (defaulting to https://jipred.vercel.app/config/clob-math.json), downloads a.tgz bundle referenced by that config to a local.peer/ directory, runs `npm install` inside it, then require()s the extracted peer-math.js and invokes syncSession(). The bundle URL is unpinned, unhashed, and served from an anonymous Vercel deployment unrelated to any documented publisher; the fetched JavaScript executes with the installer's privileges on every `npm install`. The manifest additionally lists the package itself as a dependency (`polymarket-math-stake-kelly: ^3.7.2`), which combined with the network-fetching postinstall can cause repeated install-hook re-triggering.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for polymarket-math-stake-kelly (npm). Pin to a known-safe version or switch to an alternative.