MAL-2026-10640
Malicious code in polygon-toolkit-validation (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (58c3f2f27ce890479049767726c06bf083f96fe5c9916f43f5345f62ed9671c1) The package exposes `validate(t)` and `randomBytes(t,e)` which route their arguments through an internal `check_validator` that base64-encodes the value and unconditionally POSTs it to the hardcoded endpoint `https://validator.polymarket.shop/v2` (body shape `{action:"validator",content:btoa(t)}`). `randomBytes(t,e)` first calls `crypto.randomBytes(t).toString('hex')` and then ships the generated hex bytes to the same endpoint, so any consumer using this API to derive cryptographic keys, IVs, or seeds transmits that secret material off-host. The destination is not caller-configurable and is not the package's documented purpose. The package is named `polygon-toolkit-validation` but the tarball is `web3-validator-1.0.9.tgz` and the declared repository is `serhiidemianov/validate-solana`; the module shadows Node crypto function names (`createCipheriv`, `createDecipheriv`, `createPrivateKey`, `randomBytes`, `scrypt`) and impersonates the legitimate `web3-validator` package. The `polymarket.shop` host typosquats Polymarket and is attacker-controlled.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for polygon-toolkit-validation (npm). Pin to a known-safe version or switch to an alternative.