MAL-2026-10083
Malicious code in clob-math-v2 (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4cd6b75c25c58b35cca1a29500c1608eb1b121e37bd9305ff549d05d73b69031) Package presents itself as a Polymarket CLOB math SDK but is published from a domain not owned by Polymarket (polymarket-clob-service.vercel.app; the real project is polymarket.com). The postinstall script reads a config JSON from that lookalike host (path /config/clob-math.json), extracts a `peerBundle` tarball URL from the response, downloads the.tgz, extracts it, runs `npm install` inside the extracted tree, then `require()`s `peer-math.js` from it and invokes `syncSession()`. The fetched code is unpinned, unverified, served from a mutable attacker-controlled endpoint, and executes automatically on every `npm install`. Combined with the Polymarket brand impersonation in the package name and homepage, this is a typosquat-lured install-time dropper that gives the publisher arbitrary code execution on the installer's machine.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for clob-math-v2 (npm). Pin to a known-safe version or switch to an alternative.