npm · Malicious package advisory
Malwarepolymarket-kelly-maths
MAL-2026-10069
Malicious code in polymarket-kelly-maths (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (dc23601d9ca932f0a36a1a6e7115e37da1e984b1adf3b39b9612b72f5a3cf90f) The package's postinstall script (install-check.cjs) resolves a bundle URL from a remote JSON config at https://jipred.vercel.app/config/clob-math.json (derived from package.json homepage), downloads a.tgz bundle, extracts it into a.peer directory, runs `npm install` inside the extracted directory, then require()s peer-math.js from the bundle and invokes syncSession(). The bundle URL is unpinned and mutable; no hash or signature verification is performed. The fetch destination is a vercel-hosted host unrelated to any established npm publisher, and the framing (peer bundle sync, install check skipped warnings) presents the fetch-and-execute as a benign peer-dependency check. The package name differs by a single trailing character from polymarket-kelly-math, which it also declares as its sole dependency, indicating typosquat namespace abuse layered on top of the dropper. Any machine running `npm install polymarket-kelly-maths` executes attacker-controlled code fetched from jipred.vercel.app at install time.
Compromised versions (1)
- 3.5.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.