VYPR

npm · Malicious package advisory

Malware

clob-math-v2

MAL-2026-10083

Malicious code in clob-math-v2 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4cd6b75c25c58b35cca1a29500c1608eb1b121e37bd9305ff549d05d73b69031)
Package presents itself as a Polymarket CLOB math SDK but is published from a domain not owned by Polymarket (polymarket-clob-service.vercel.app; the real project is polymarket.com). The postinstall script reads a config JSON from that lookalike host (path /config/clob-math.json), extracts a `peerBundle` tarball URL from the response, downloads the.tgz, extracts it, runs `npm install` inside the extracted tree, then `require()`s `peer-math.js` from it and invokes `syncSession()`. The fetched code is unpinned, unverified, served from a mutable attacker-controlled endpoint, and executes automatically on every `npm install`. Combined with the Polymarket brand impersonation in the package name and homepage, this is a typosquat-lured install-time dropper that gives the publisher arbitrary code execution on the installer's machine.

Compromised versions (1)

  • 2.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.