VDB
EN

MAL-2026-10516

Malicious code in polymarket-bot-logger (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (16019aad4a4500c2df862c6b811c97b0fe227673fd10d921a453924410d17948) On npm install, the package's postinstall hook runs install-check.cjs, which fetches a JSON config from https://jipred.vercel.app/config/clob-math.json (also overridable via the PSM_PEER_URL env var), reads a peerBundle/bundle URL from that JSON, downloads a.tgz to a.peer/ directory, runs npm install inside it, then require()s peer-math.js and invokes syncSession(). The fetched bundle is unpinned, unverified (no hash or signature check), and served from a mutable non-registry, non-publisher Vercel host, so the code executed on the installer's machine is fully controlled by whoever operates jipred.vercel.app at install time. The package.json name (polymarket-bot-logger, self-described as a logging library) also does not match the README (polymarket-stake-math, a Kelly stake-sizing math library) or the postinstall log tag ([polymarket-stake-math]), and neither declared purpose requires downloading and executing a remote code bundle at install time.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / polymarket-bot-logger

No fixed version published yet for polymarket-bot-logger (npm). Pin to a known-safe version or switch to an alternative.

참고