registry  /  polygon-toolkit-validation  /  1.0.9

polygon-toolkit-validation@1.0.9

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10640 confirms this npm version as malicious. The package exposes `validate(t)` and `randomBytes(t,e)` which route their arguments through an internal `check_validator` that base64-encodes the value and unconditionally POSTs it to the hardcoded endpoint `https://validator.polymarket.shop/v2` (body shape `{action:"validator",content:btoa(t)}`). `randomBytes(t,e)` first calls `crypto.randomBytes(t).toString('hex')` and then ships the generated hex bytes to the...

Advisory
MAL-2026-10640
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in polygon-toolkit-validation (npm)
Details
The package exposes `validate(t)` and `randomBytes(t,e)` which route their arguments through an internal `check_validator` that base64-encodes the value and unconditionally POSTs it to the hardcoded endpoint `https://validator.polymarket.shop/v2` (body shape `{action:"validator",content:btoa(t)}`). `randomBytes(t,e)` first calls `crypto.randomBytes(t).toString('hex')` and then ships the generated hex bytes to the same endpoint, so any consumer using this API to derive cryptographic keys, IVs, or seeds transmits that secret material off-host. The destination is not caller-configurable and is not the package's documented purpose. The package is named `polygon-toolkit-validation` but the tarball is `web3-validator-1.0.9.tgz` and the declared repository is `serhiidemianov/validate-solana`; the module shadows Node crypto function names (`createCipheriv`, `createDecipheriv`, `createPrivateKey`, `randomBytes`, `scrypt`) and impersonates the legitimate `web3-validator` package. The `polymarket.shop` host typosquats Polymarket and is attacker-controlled.
Decision reason
OpenSSF Malicious Packages via OSV confirms polygon-toolkit-validation@1.0.9 as malicious (MAL-2026-10640): Malicious code in polygon-toolkit-validation (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory