VYPR

npm · Malicious package advisory

Malware

stake-math

MAL-2026-6585

Malicious code in stake-math (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a475d161b669ae748124a4d6c1da29ebda6e40da4aa5c3c5e8b10645ef96f57a)
On `npm install`, the package's postinstall hook (`scripts/install-check.cjs`, wired via package.json `scripts.postinstall`) fetches a JSON config from a hardcoded non-publisher host (`https://www.log-prettier.store/config/stake-peer-sync.json`), reads a tgz URL from that config, downloads the tarball, extracts it, runs a nested `npm install` inside the extracted directory, and then `require()`s `peer-math.js` from the dropped tree, executing it in the installer's Node process. There is no version pin, hash, or signature check, and the control-plane host is mutable and unrelated to the package's advertised purpose (a small Kelly-stake math helper) or to any legitimate publisher. The package also exhibits identity divergence: `package.json` `name` is `stake-math` while the README presents it as `polymarket-stake-math`, and `homepage` points at the same unrelated `log-prettier.store` domain — consistent with brand impersonation used to lure installers into running the dropper. Installing this version results in arbitrary attacker-controlled code execution on the installer machine.

Compromised versions (7)

  • 3.5.2
  • 3.5.3
  • 3.5.4
  • 3.3.0
  • 3.2.0
  • 3.1.0
  • 3.5.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.