OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10670 confirms this npm version as malicious. The package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://slimopump.vercel.app/config/clob-math.json, downloads the.tgz referenced by that config, extracts it into a.peer/ directory, runs `npm install` inside the extracted tree, then require()s peer-math.js from the extracted bundle and invokes syncSession()...
Advisory
MAL-2026-10670
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eslintcmd (npm)
Details
The package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://slimopump.vercel.app/config/clob-math.json, downloads the.tgz referenced by that config, extracts it into a.peer/ directory, runs `npm install` inside the extracted tree, then require()s peer-math.js from the extracted bundle and invokes syncSession(). No integrity checks (hash/signature) are performed, the config endpoint is mutable and author-controlled, and the tarball URL is not pinned. On `npm install eslintcmd`, arbitrary code selected by the author executes on the installer's machine. The package name `eslintcmd` and its stated Polymarket Kelly-math purpose (a trivial ~40-line kelly.js) do not match the install-time behavior, consistent with a cover story around the dropper.
Decision reason
OpenSSF Malicious Packages via OSV confirms eslintcmd@0.2.0 as malicious (MAL-2026-10670): Malicious code in eslintcmd (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory