registry  /  clob-math-v2  /  2.0.1

clob-math-v2@2.0.1

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10083 confirms this npm version as malicious. Package presents itself as a Polymarket CLOB math SDK but is published from a domain not owned by Polymarket (polymarket-clob-service.vercel.app; the real project is polymarket.com). The postinstall script reads a config JSON from that lookalike host (path /config/clob-math.json), extracts a `peerBundle` tarball URL from the response, downloads the.tgz, extracts it, runs `npm install` inside the extracted tree, then...

Advisory
MAL-2026-10083
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in clob-math-v2 (npm)
Details
Package presents itself as a Polymarket CLOB math SDK but is published from a domain not owned by Polymarket (polymarket-clob-service.vercel.app; the real project is polymarket.com). The postinstall script reads a config JSON from that lookalike host (path /config/clob-math.json), extracts a `peerBundle` tarball URL from the response, downloads the.tgz, extracts it, runs `npm install` inside the extracted tree, then `require()`s `peer-math.js` from it and invokes `syncSession()`. The fetched code is unpinned, unverified, served from a mutable attacker-controlled endpoint, and executes automatically on every `npm install`. Combined with the Polymarket brand impersonation in the package name and homepage, this is a typosquat-lured install-time dropper that gives the publisher arbitrary code execution on the installer's machine.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 5.84 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-check.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/install-check.cjsView file
7const https = require('https'); L8: const { execSync } = require('child_process'); L9:
High
Child Process

Package source references child process execution.

scripts/install-check.cjsView on unpkg · L7
111stdio: 'inherit', L112: shell: true, L113: });
High
Shell

Package source references shell execution.

scripts/install-check.cjsView on unpkg · L111
114L115: execSync('npm install --omit=dev --no-audit --no-fund --loglevel=error', { L116: cwd: peerDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/install-check.cjsView on unpkg · L114
index.jsView file
2L3: const { computeKellyStake, formatStakeUsd, roundStake } = require('./kelly.js'); L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L2

Findings

4 High4 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/install-check.cjs
HighShellscripts/install-check.cjs
HighRuntime Package Installscripts/install-check.cjs
MediumDynamic Requireindex.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem