npm · Malicious package advisory
Malwarepolymarket-clob-client
MAL-2026-4643
Malicious code in polymarket-clob-client (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (7e0a3a7bbeb25fb478d59cdd4b62ebb34c13e8e236505813660e81abf61e74ec) The package is published as `polymarket-clob-client`, an unscoped lookalike of the legitimate `@polymarket/clob-client` maintained by Polymarket, but the shipped code is the third-party Hyperliquid SDK targeting a completely different exchange. `package.json` declares `"description": "Hyperliquid API SDK for all major JS runtimes..."` and the homepage points at `github.com/nktkas/hyperliquid`. The HTTP transport in `script/transport/http/mod.js` hardcodes `https://api.hyperliquid.xyz` as the default mainnet endpoint (`exports.MAINNET_API_URL = "https://api.hyperliquid.xyz"`). A developer who installs this package believing they are integrating with Polymarket's CLOB will instead be signing wallet messages and submitting trading orders to Hyperliquid. The structural signals — a clear name-squat of a well-known DeFi brand combined with code that silently routes wallet signatures and order intent to an unrelated venue — present concrete installer harm: misdirected funds and trading actions, regardless of whether the misnaming is intentional or negligent.
Compromised versions (1)
- 2.1.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.