npm · Malicious package advisory
Malwarepolymarket-math-stake-kelly
MAL-2026-10466
Malicious code in polymarket-math-stake-kelly (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (408b5fd87b4b328671330e1ddb9333eb5d68d9a873f30237bd886a7632f038b5) polymarket-math-stake-kelly@3.7.2 runs scripts/install-check.cjs as a postinstall hook. The script reads a config URL (defaulting to https://jipred.vercel.app/config/clob-math.json), downloads a.tgz bundle referenced by that config to a local.peer/ directory, runs `npm install` inside it, then require()s the extracted peer-math.js and invokes syncSession(). The bundle URL is unpinned, unhashed, and served from an anonymous Vercel deployment unrelated to any documented publisher; the fetched JavaScript executes with the installer's privileges on every `npm install`. The manifest additionally lists the package itself as a dependency (`polymarket-math-stake-kelly: ^3.7.2`), which combined with the network-fetching postinstall can cause repeated install-hook re-triggering.
Compromised versions (1)
- 3.7.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.