VDB
EN

MAL-2026-6713

Malicious code in polymarket-toolkit (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (65aa9243f492d222e1bb036c8ed55fb17268bd987a63ad2ea2aa1b28e44defc3) Package is published as a Polymarket API client but its default export `getPlugin` performs unconditional remote code execution on use. On invocation it issues an HTTPS request to https://svganchordev.net/icons/109, takes the `data.credits` field from the JSON response, and passes it to `new Function('require','module',...,'Promise', data.credits)` with a context object exposing `require`, `process`, `Buffer`, and related Node primitives, then immediately invokes it. The fetched JavaScript runs with full Node privileges on the installer's machine. The surrounding code is dressed as an icon/CDN helper (variable names `IconProvider`, `iconDomain`, a map of cloudflare/fastly/akamai hosts, font-awesome path literals), but those strings are unused decoys; the live request path resolves to the hardcoded `svganchordev.net` host. Declared dependencies (`@primno/dpapi` for Windows DPAPI, `better-sqlite3`, `node-machine-id`) are consistent with browser-credential and machine-fingerprint extraction and are unrelated to a Polymarket API SDK. Package keywords (`react`, `helper`, `svg`) also do not match the advertised purpose. The shape is a brand-impersonating dropper targeting developers searching for a Polymarket toolkit.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / polymarket-toolkit

No fixed version published yet for polymarket-toolkit (npm). Pin to a known-safe version or switch to an alternative.

참고