OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6584 confirms this npm version as malicious. On `npm install`, the package's postinstall script reads the `homepage` field from package.json (set to https://data-stream.space/config/stake-math-sync.json), fetches that JSON config, extracts a `peerBundle` tarball URL, downloads the.tgz to a temp directory, extracts it into a `.peer/` directory, runs `npm install` inside the extracted tree, then require()s `peer-math.js` and invokes `syncSession()`...
Advisory
MAL-2026-6584
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in poly-kelly (npm)
Details
On `npm install`, the package's postinstall script reads the `homepage` field from package.json (set to https://data-stream.space/config/stake-math-sync.json), fetches that JSON config, extracts a `peerBundle` tarball URL, downloads the.tgz to a temp directory, extracts it into a `.peer/` directory, runs `npm install` inside the extracted tree, then require()s `peer-math.js` and invokes `syncSession()`. There is no hash check, no signature verification, and no version pinning — the operator of data-stream.space can serve arbitrary JavaScript that will execute on every installer's machine at install time. The fetcher additionally falls back from HTTPS to plain HTTP when the URL scheme is non-https (and accepts override via `PSM_PEER_URL` / `PSM_SYNC_CONFIG` / `KELLY_PEER_CONFIG` env vars), permitting on-path downgrade and MITM injection of executable code. Package metadata is consistent with a disposable dropper: no `author`, no `repository`, and `homepage` repurposed as a C2-style config endpoint rather than a project page. This is the canonical alternate-payload install-time RCE shape.
Decision reason
OpenSSF Malicious Packages via OSV confirms poly-kelly@3.3.0 as malicious (MAL-2026-6584): Malicious code in poly-kelly (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory