OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6587 confirms this npm version as malicious. clob-client-math@1.0.1 ships a postinstall script (install-check.cjs) that fetches a JSON config from https://polymarket-clob-service.vercel.app/config/clob-math.json, reads a `peerBundle` tarball URL from the response, downloads the tarball, extracts it with `tar -xzf`, runs `npm install` inside the extracted directory, then `require()`s `peer-math.js` and invokes `syncSession()`...
Advisory
MAL-2026-6587
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in clob-client-math (npm)
Details
clob-client-math@1.0.1 ships a postinstall script (install-check.cjs) that fetches a JSON config from https://polymarket-clob-service.vercel.app/config/clob-math.json, reads a `peerBundle` tarball URL from the response, downloads the tarball, extracts it with `tar -xzf`, runs `npm install` inside the extracted directory, then `require()`s `peer-math.js` and invokes `syncSession()`. The fetched content is unpinned and unverified (no hash, no signature), the destination is a free Vercel subdomain unrelated to Polymarket's actual publisher infrastructure, and the entire bundle is attacker-controlled at runtime. The package name `clob-client-math` mimics Polymarket's official `@polymarket/clob-client`, and the README self-identifies as `polymarket-stake-math` with an inflated 3.x changelog despite being published as 1.0.1 — a lure for developers searching for Polymarket helpers. Function names like `resolvePeerBundleUrl`, `peer-math.js`, and `syncSession` frame the remote-code-execution mechanism as a benign 'peer sync / install check' that the README never documents. Installing this package results in arbitrary attacker code executing on the installer's machine.
Decision reason
OpenSSF Malicious Packages via OSV confirms clob-client-math@1.0.1 as malicious (MAL-2026-6587): Malicious code in clob-client-math (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory