OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10083 confirms this npm version as malicious. Package presents itself as a Polymarket CLOB math SDK but is published from a domain not owned by Polymarket (polymarket-clob-service.vercel.app; the real project is polymarket.com). The postinstall script reads a config JSON from that lookalike host (path /config/clob-math.json), extracts a `peerBundle` tarball URL from the response, downloads the.tgz, extracts it, runs `npm install` inside the extracted tree, then...
Decision evidence
public snapshotSource & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
scripts/install-check.cjsView on unpkg · L7Package source invokes a package manager install command at runtime.
scripts/install-check.cjsView on unpkg · L114