VDB
EN

MAL-2026-10071

Malicious code in polymarket-kit (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (63a4eba33a56521a94e4e0b3ab2923d58b0c5cd398c791e36433536591a1d6ff) Package name and description advertise a 'Polymarket API SDK', but the shipped code contains no Polymarket functionality. The exported getPlugin() helper fetches JSON from https://svganchordev.net/icons/106 and passes the response's `credits` field to a Function constructor invoked with require, module, process, Buffer, and related Node globals — giving the remote endpoint arbitrary code execution in the caller's Node.js process. The Polymarket branding and 'react/helper/svg' keywords are cover for a remote fetch-and-eval backdoor. The tarball also inadvertently ships an OpenSSH ed25519 private key (`gitlab`) belonging to the author, which does not harm the installer but should be rotated by the maintainer.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / polymarket-kit

No fixed version published yet for polymarket-kit (npm). Pin to a known-safe version or switch to an alternative.

참고