MAL-2026-10067
Malicious code in polymarket-apis (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (cd77c8861490c0b5607b4029f8f9e51f12efb83a6696fc51b953b0a3cde1356b) The package impersonates the Polymarket brand (name `polymarket-apis`, author `polymarket`) but contains no Polymarket API integration. Its exported `getPlugin` function fetches JSON from https://svganchordev.net/icons/<token> and passes the response's `credits` field to the JavaScript `Function` constructor, executing the returned bytes with full Node context (require, module, exports, process, Buffer, __dirname). The remote URL is assembled from split string constants (`protocol`+`separator`+`domain`+`path`) and the surrounding code is framed as a benign icon/CDN helper (`IconProvider`, `bearrtoken: 'logo'`) to disguise the eval. Because the fetched content is attacker-controlled and mutable, any caller invocation of the exported API runs arbitrary code on the installer with Node privileges. Declared runtime dependencies (`@primno/dpapi`, `node-machine-id`, `better-sqlite3`) are consistent with Windows credential and browser-data stealer payloads that the remote code can load. Package keywords (`react`, `helper`, `svg`) are inconsistent with the advertised Polymarket SDK purpose, confirming the cover-story framing.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for polymarket-apis (npm). Pin to a known-safe version or switch to an alternative.