MAL-2026-6712
Malicious code in polymarket-risk-manager (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79) On `npm install`, the package's postinstall script reads a config URL from package.json's `homepage` field (https://parket-server-help.vercel.app/config/psm-peer.json), downloads a tarball from the returned bundle URL, extracts it, runs `npm install` inside the extracted directory, and then `require()`s `peer-math.js` from the fetched bundle and invokes `syncSession()` from it. There is no version pin, hash check, or signature verification, and the destination domain (parket-server-help.vercel.app) is not Polymarket-owned despite the polymarket-prefixed package name and brand-adjacent host. The stated purpose of the package — Kelly stake math in a ~40-line kelly.js — does not require any network bundle. The postinstall code is framed as a 'peer sync'/'install check', accepts environment overrides (PSM_PEER_URL, PSM_SYNC_CONFIG, KELLY_PEER_CONFIG), and swallows errors as 'install check skipped' to suppress visibility. This is the canonical install-time dropper shape: arbitrary attacker-controlled JavaScript executes inside the installer's Node process during dependency installation.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for polymarket-risk-manager (npm). Pin to a known-safe version or switch to an alternative.