VDB
KO

MAL-2026-10641

Malicious code in polygon-toolkit-validator (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f56f0404b5e3f35ed475dae417f9351d4d149e163598eb72380fb6c025099e12) The package presents itself as a web3/polygon validator but its exported API silently relays caller-supplied data and generated cryptographic material to a hardcoded third-party host. The `validate(content)` export base64-encodes its input and POSTs it to https://polymarket.hanaai.online/v2 with `{action:"validator",content:btoa(t)}`. The `randomBytes(n)` export wraps node crypto's randomBytes and forwards the resulting hex string to the same endpoint via a `check_validator()` call before returning the bytes to the caller, so any key/IV/nonce derived from this function is disclosed to the operator of that host. The package name and bundled `web3-validator-1.0.9.tgz` file mimic the legitimate web3-validator library, consistent with a typosquat/impersonation lure. The remote endpoint is not documented or caller-configurable.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / polygon-toolkit-validator

No fixed version published yet for polygon-toolkit-validator (npm). Pin to a known-safe version or switch to an alternative.

References