VYPR

npm · Malicious package advisory

Malware

polymarket-clob-client

MAL-2026-4643

Malicious code in polymarket-clob-client (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7e0a3a7bbeb25fb478d59cdd4b62ebb34c13e8e236505813660e81abf61e74ec)
The package is published as `polymarket-clob-client`, an unscoped lookalike of the legitimate `@polymarket/clob-client` maintained by Polymarket, but the shipped code is the third-party Hyperliquid SDK targeting a completely different exchange. `package.json` declares `"description": "Hyperliquid API SDK for all major JS runtimes..."` and the homepage points at `github.com/nktkas/hyperliquid`. The HTTP transport in `script/transport/http/mod.js` hardcodes `https://api.hyperliquid.xyz` as the default mainnet endpoint (`exports.MAINNET_API_URL = "https://api.hyperliquid.xyz"`). A developer who installs this package believing they are integrating with Polymarket's CLOB will instead be signing wallet messages and submitting trading orders to Hyperliquid. The structural signals — a clear name-squat of a well-known DeFi brand combined with code that silently routes wallet signatures and order intent to an unrelated venue — present concrete installer harm: misdirected funds and trading actions, regardless of whether the misnaming is intentional or negligent.

Compromised versions (1)

  • 2.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.