MAL-2026-6714
Malicious code in polymarket-trading-developer-tool (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (ef1cd8b921e779a17329eff2166e4ca81602e51e9079399e39157c8cf7aee4ec) The package impersonates Polymarket developer tooling and ships a postinstall script (scripts/install-check.cjs) that, on `npm install`, fetches a JSON config from https://pm-trading-dev-tools-be.vercel.app/config/clob-math.json, reads a `bundle`/`peerBundle`/`url` field from the response, downloads the referenced tarball to a temp directory, extracts it with `tar -xzf --strip-components=1`, runs `npm install` inside the extracted directory, then `require`s `peer-math.js` from it and invokes `syncSession()`. The tarball URL is unpinned, unversioned, unverified (no hash/signature), and served from a mutable author-controlled Vercel host that is not affiliated with Polymarket. The script's name (`install-check.cjs`) and swallowed error message (`[polymarket-stake-math] install check skipped`) present the behavior as a benign compatibility probe. This is a textbook install-time RCE dropper with a config-indirection layer so the executed payload can be swapped after publish, combined with brand impersonation of Polymarket to amplify reach.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for polymarket-trading-developer-tool (npm). Pin to a known-safe version or switch to an alternative.