VDB
EN

MAL-2026-10083

Malicious code in clob-math-v2 (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4cd6b75c25c58b35cca1a29500c1608eb1b121e37bd9305ff549d05d73b69031) Package presents itself as a Polymarket CLOB math SDK but is published from a domain not owned by Polymarket (polymarket-clob-service.vercel.app; the real project is polymarket.com). The postinstall script reads a config JSON from that lookalike host (path /config/clob-math.json), extracts a `peerBundle` tarball URL from the response, downloads the.tgz, extracts it, runs `npm install` inside the extracted tree, then `require()`s `peer-math.js` from it and invokes `syncSession()`. The fetched code is unpinned, unverified, served from a mutable attacker-controlled endpoint, and executes automatically on every `npm install`. Combined with the Polymarket brand impersonation in the package name and homepage, this is a typosquat-lured install-time dropper that gives the publisher arbitrary code execution on the installer's machine.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / clob-math-v2

No fixed version published yet for clob-math-v2 (npm). Pin to a known-safe version or switch to an alternative.

참고