MAL-2026-10516
Malicious code in polymarket-bot-logger (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (16019aad4a4500c2df862c6b811c97b0fe227673fd10d921a453924410d17948) On npm install, the package's postinstall hook runs install-check.cjs, which fetches a JSON config from https://jipred.vercel.app/config/clob-math.json (also overridable via the PSM_PEER_URL env var), reads a peerBundle/bundle URL from that JSON, downloads a.tgz to a.peer/ directory, runs npm install inside it, then require()s peer-math.js and invokes syncSession(). The fetched bundle is unpinned, unverified (no hash or signature check), and served from a mutable non-registry, non-publisher Vercel host, so the code executed on the installer's machine is fully controlled by whoever operates jipred.vercel.app at install time. The package.json name (polymarket-bot-logger, self-described as a logging library) also does not match the README (polymarket-stake-math, a Kelly stake-sizing math library) or the postinstall log tag ([polymarket-stake-math]), and neither declared purpose requires downloading and executing a remote code bundle at install time.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for polymarket-bot-logger (npm). Pin to a known-safe version or switch to an alternative.