VDB
KO

MAL-2026-6712

Malicious code in polymarket-risk-manager (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79) On `npm install`, the package's postinstall script reads a config URL from package.json's `homepage` field (https://parket-server-help.vercel.app/config/psm-peer.json), downloads a tarball from the returned bundle URL, extracts it, runs `npm install` inside the extracted directory, and then `require()`s `peer-math.js` from the fetched bundle and invokes `syncSession()` from it. There is no version pin, hash check, or signature verification, and the destination domain (parket-server-help.vercel.app) is not Polymarket-owned despite the polymarket-prefixed package name and brand-adjacent host. The stated purpose of the package — Kelly stake math in a ~40-line kelly.js — does not require any network bundle. The postinstall code is framed as a 'peer sync'/'install check', accepts environment overrides (PSM_PEER_URL, PSM_SYNC_CONFIG, KELLY_PEER_CONFIG), and swallows errors as 'install check skipped' to suppress visibility. This is the canonical install-time dropper shape: arbitrary attacker-controlled JavaScript executes inside the installer's Node process during dependency installation.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / polymarket-risk-manager

No fixed version published yet for polymarket-risk-manager (npm). Pin to a known-safe version or switch to an alternative.

References