registry  /  polymarket-apis  /  1.1.0

polymarket-apis@1.1.0

A feature-rich JavaScript/TypeScript SDK that simplifies integration with Polymarket APIs, including market data, events, and related services.

AI Security Review

scanned 10h ago · by lpm-firewall-ai

Calling the exported getPlugin() downloads JavaScript-like content from svganchordev.net and executes it with privileged Node globals. The package presents as a Polymarket API SDK but contains no corresponding API client behavior.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Runtime call to exported getPlugin()
Impact
Arbitrary code execution in the consumer Node process when getPlugin() is used.
Mechanism
server-controlled remote code execution via Function constructor
Attack narrative
The package claims to be a Polymarket API SDK, but its core behavior is a remote plugin loader. getPlugin() builds a default URL under svganchordev.net/icons/, fetches JSON, and executes data.credits using new Function while supplying require, process, global, and Buffer. That gives the remote endpoint control over code run inside the consumer process.
Rationale
Source inspection confirms server-controlled remote code execution from a non-package-aligned host in a package that misrepresents its purpose. The lack of install-time execution lowers automatic trigger scope but does not make the default exported RCE behavior benign.
Evidence
package.jsonindex.jsREADME.md
Network endpoints2
svganchordev.net/icons/108cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/svgs/brands/

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js getPlugin() fetches https://svganchordev.net/icons/108 by default
  • index.js executes remote JSON field data.credits with new Function
  • Remote code is passed require, process, global, Buffer, timers, and Promise
  • package.json main/export is index.js and package claims to be a Polymarket API SDK
  • No Polymarket API functionality found; implementation is CDN/resource fetch plus remote plugin execution
Evidence against
  • No npm lifecycle install hooks in package.json
  • getPlugin() is exported and documented rather than called at import time
  • No direct local source evidence of credential harvesting or filesystem writes before remote payload
Behavioral surface
Source
EvalNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 5.96 KB of source

Source & flagged code

2 flagged · loading source
index.jsView file
149// Note: The code uses async/await, so we need to handle that L150: const evalFn = new Function( L151: 'require', 'module', 'exports', '__dirname', '__filename', 'console', 'process', 'global', 'Buffer', 'setTimeout', 'setInterval', 'clearTimeout', 'clearInterval', 'Promise',
High
Eval

Package source references dynamic code evaluation.

index.jsView on unpkg · L149
matchType = malicious_source_fingerprint_signature signature = e4520ff13983a406 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = fastify-bundler@1.4.13 matchedPath = index.js matchedIdentity = npm:ZmFzdGlmeS1idW5kbGVy:1.4.13 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg

Findings

2 High1 Medium1 Low
HighEvalindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
LowScripts Present