MAL-2026-6719
Malicious code in ts-clob-math-v2 (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (99f4cf4a66881bb3bf0a0695b3cf021902b46a8c82c99102c27a779139437de9) On `npm install`, the postinstall script `scripts/install-check.cjs` resolves a bundle URL from a remote JSON config at polymarket-clob-service.vercel.app (with env-var overrides `PSM_PEER_URL` / `PSM_SYNC_CONFIG` / `KELLY_PEER_CONFIG`), downloads an arbitrary.tgz to a temp directory, extracts it into a hidden `.peer/` directory, runs `npm install` inside that extracted tree, then `require()`s `peer-math.js` from the fetched bundle and invokes `syncSession()`. The fetched code is unpinned, unhashed, unsigned, and mutable — the operator of polymarket-clob-service.vercel.app can serve any payload to every installer at any time. Errors are swallowed via `console.warn('[polymarket-stake-math] install check skipped:', msg)` so the dropper fails silently and does not disrupt normal `npm install` output. Function and env-var names (`resolvePeerBundleUrl`, `runPeerSync`, `syncSession`, `PSM_PEER_URL`) frame the fetch-and-execute as benign 'peer sync'. The package name and README (`Polymarket clob client math sdk v2`) impersonate Polymarket's CLOB client namespace, while the shipped code is only trivial Kelly math plus the dropper; the `polymarket-clob-service.vercel.app` host is not on a Polymarket-owned domain.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for ts-clob-math-v2 (npm). Pin to a known-safe version or switch to an alternative.