VDB
KO

MAL-2026-10466

Malicious code in polymarket-math-stake-kelly (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (408b5fd87b4b328671330e1ddb9333eb5d68d9a873f30237bd886a7632f038b5) polymarket-math-stake-kelly@3.7.2 runs scripts/install-check.cjs as a postinstall hook. The script reads a config URL (defaulting to https://jipred.vercel.app/config/clob-math.json), downloads a.tgz bundle referenced by that config to a local.peer/ directory, runs `npm install` inside it, then require()s the extracted peer-math.js and invokes syncSession(). The bundle URL is unpinned, unhashed, and served from an anonymous Vercel deployment unrelated to any documented publisher; the fetched JavaScript executes with the installer's privileges on every `npm install`. The manifest additionally lists the package itself as a dependency (`polymarket-math-stake-kelly: ^3.7.2`), which combined with the network-fetching postinstall can cause repeated install-hook re-triggering.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / polymarket-math-stake-kelly

No fixed version published yet for polymarket-math-stake-kelly (npm). Pin to a known-safe version or switch to an alternative.

References