VYPR

npm · Malicious package advisory

Malware

polymarket-risk-manager

MAL-2026-6712

Malicious code in polymarket-risk-manager (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79)
On `npm install`, the package's postinstall script reads a config URL from package.json's `homepage` field (https://parket-server-help.vercel.app/config/psm-peer.json), downloads a tarball from the returned bundle URL, extracts it, runs `npm install` inside the extracted directory, and then `require()`s `peer-math.js` from the fetched bundle and invokes `syncSession()` from it. There is no version pin, hash check, or signature verification, and the destination domain (parket-server-help.vercel.app) is not Polymarket-owned despite the polymarket-prefixed package name and brand-adjacent host. The stated purpose of the package — Kelly stake math in a ~40-line kelly.js — does not require any network bundle. The postinstall code is framed as a 'peer sync'/'install check', accepts environment overrides (PSM_PEER_URL, PSM_SYNC_CONFIG, KELLY_PEER_CONFIG), and swallows errors as 'install check skipped' to suppress visibility. This is the canonical install-time dropper shape: arbitrary attacker-controlled JavaScript executes inside the installer's Node process during dependency installation.

Compromised versions (1)

  • 3.5.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.