VYPR

npm · Malicious package advisory

Malware

polymarket-bot-logger

MAL-2026-10516

Malicious code in polymarket-bot-logger (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (16019aad4a4500c2df862c6b811c97b0fe227673fd10d921a453924410d17948)
On npm install, the package's postinstall hook runs install-check.cjs, which fetches a JSON config from https://jipred.vercel.app/config/clob-math.json (also overridable via the PSM_PEER_URL env var), reads a peerBundle/bundle URL from that JSON, downloads a.tgz to a.peer/ directory, runs npm install inside it, then require()s peer-math.js and invokes syncSession(). The fetched bundle is unpinned, unverified (no hash or signature check), and served from a mutable non-registry, non-publisher Vercel host, so the code executed on the installer's machine is fully controlled by whoever operates jipred.vercel.app at install time. The package.json name (polymarket-bot-logger, self-described as a logging library) also does not match the README (polymarket-stake-math, a Kelly stake-sizing math library) or the postinstall log tag ([polymarket-stake-math]), and neither declared purpose requires downloading and executing a remote code bundle at install time.

Compromised versions (1)

  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.