VYPR

npm · Malicious package advisory

Malware

polymarket-math-stake-kelly

MAL-2026-10466

Malicious code in polymarket-math-stake-kelly (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (408b5fd87b4b328671330e1ddb9333eb5d68d9a873f30237bd886a7632f038b5)
polymarket-math-stake-kelly@3.7.2 runs scripts/install-check.cjs as a postinstall hook. The script reads a config URL (defaulting to https://jipred.vercel.app/config/clob-math.json), downloads a.tgz bundle referenced by that config to a local.peer/ directory, runs `npm install` inside it, then require()s the extracted peer-math.js and invokes syncSession(). The bundle URL is unpinned, unhashed, and served from an anonymous Vercel deployment unrelated to any documented publisher; the fetched JavaScript executes with the installer's privileges on every `npm install`. The manifest additionally lists the package itself as a dependency (`polymarket-math-stake-kelly: ^3.7.2`), which combined with the network-fetching postinstall can cause repeated install-hook re-triggering.

Compromised versions (1)

  • 3.7.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.