—

MAL-2026-6691

Malicious code in polymarket-clob-maths (npm)

Details

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. `polymarket-clob-maths` uses a dropper technique: a `postinstall` hook fetches a remote bundle from `trabalhos-flax.vercel.app` and executes a `syncSession()` function that runs a second-stage infostealer. The payload harvests cryptocurrency wallet vaults, browser credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates the data to the attacker-controlled C2.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / polymarket-clob-maths

Introduced in: 0

No fixed version published yet for polymarket-clob-maths (npm). Pin to a known-safe version or switch to an alternative.

References

https://safedep.io/defi-infostealer-fake-arbitrage-bot-npm/ [REPORT]