registry  /  polygon-gama-apis  /  1.4.1

polygon-gama-apis@1.4.1

A module to provide an tailwindcss forms bundle.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The package exposes a runtime function that downloads code from a gambling-domain endpoint and executes it with Node globals. This gives the remote server arbitrary code execution in any consumer process that calls getPlugin.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
User/application imports the package and calls exported getPlugin().
Impact
Arbitrary remote code can run with process and require access in the consumer environment.
Mechanism
remote JSON field executed via Function constructor
Attack narrative
When getPlugin is called, index.js builds https://bet.slotgambit.com/icons/111, fetches JSON, takes data.credits, wraps it in new Function, and invokes it with require, process, global, Buffer, timers, and module objects. The package description does not justify remote code loading from that endpoint, making consumer invocation a remote-code-execution delivery path.
Rationale
Source inspection confirms a concrete remote-code-execution path in index.js, not merely scanner noise. Although there is no install hook, the exported API hides execution of server-supplied code with powerful Node globals, so this should be blocked.
Evidence
package.jsonindex.js
Network endpoints6
bet.slotgambit.com/icons/111cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/svgs/brands/cdnjs.fastly.net/ajax/libs/font-awesome/6.4.0/svgs/brands/cdnjs.akamai.net/ajax/libs/font-awesome/6.4.0/svgs/brands/cdnjs.cloudfront.net/ajax/libs/font-awesome/6.4.0/svgs/brands/cdnjs.gcorelabs.com/ajax/libs/font-awesome/6.4.0/svgs/brands/

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • Inspection found exported runtime code that fetches JSON from https://bet.slotgambit.com/icons/111 and executes data.credits with Function.
  • The remote code receives require, process, global, Buffer, timers, and module/exports context.
  • Endpoint and behavior are unrelated to package description/keywords about tailwind/react/svg helpers.
  • package.json includes no lifecycle hooks, so activation is runtime via exported getPlugin rather than install-time.
Evidence against
  • No npm install/preinstall/postinstall lifecycle scripts in package.json.
  • No filesystem writes or AI-agent control surface mutations found in inspected package files.
  • setDefaultModule only fetches CDN-like icon URLs and returns JSON when explicitly called.
Behavioral surface
Source
EvalNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 5.92 KB of source

Source & flagged code

2 flagged · loading source
index.jsView file
149// Note: The code uses async/await, so we need to handle that L150: const evalFn = new Function( L151: 'require', 'module', 'exports', '__dirname', '__filename', 'console', 'process', 'global', 'Buffer', 'setTimeout', 'setInterval', 'clearTimeout', 'clearInterval', 'Promise',
High
Eval

Package source references dynamic code evaluation.

index.jsView on unpkg · L149
matchType = malicious_source_fingerprint_signature signature = e4520ff13983a406 signatureType = suspicious_hashes sourceLabel = Datadog matchedPackage = cmc-client@1.1.0 matchedPath = index.js matchedIdentity = npm:Y21jLWNsaWVudA:1.1.0 similarity = 1.000 shingleOverlap = 1 summary = Datadog malicious npm corpus sample: samples/npm/malicious_intent/cmc-client/1.1.0/2026-02-12-cmc-client-v1.1.0.zip
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg

Findings

2 High1 Medium1 Low
HighEvalindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
LowScripts Present