OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10089 confirms this npm version as malicious. The package's postinstall script reads a URL from package.json.homepage pointing to polymarket-clob-service.vercel.app/config/clob-math.json, fetches that JSON to resolve a peer-bundle URL, downloads a.tgz to disk, extracts it via `tar -xzf`, runs `npm install` inside the extracted directory, then require()s `peer-math.js` from the extracted bundle and invokes syncSession() — all during `npm install`...
Decision evidence
public snapshotSource & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
scripts/install-check.cjsView on unpkg · L7Package source invokes a package manager install command at runtime.
scripts/install-check.cjsView on unpkg · L114