OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10516 confirms this npm version as malicious. On npm install, the package's postinstall hook runs install-check.cjs, which fetches a JSON config from https://jipred.vercel.app/config/clob-math.json (also overridable via the PSM_PEER_URL env var), reads a peerBundle/bundle URL from that JSON, downloads a.tgz to a.peer/ directory, runs npm install inside it, then require()s peer-math.js and invokes syncSession()...
Advisory
MAL-2026-10516
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in polymarket-bot-logger (npm)
Details
On npm install, the package's postinstall hook runs install-check.cjs, which fetches a JSON config from https://jipred.vercel.app/config/clob-math.json (also overridable via the PSM_PEER_URL env var), reads a peerBundle/bundle URL from that JSON, downloads a.tgz to a.peer/ directory, runs npm install inside it, then require()s peer-math.js and invokes syncSession(). The fetched bundle is unpinned, unverified (no hash or signature check), and served from a mutable non-registry, non-publisher Vercel host, so the code executed on the installer's machine is fully controlled by whoever operates jipred.vercel.app at install time. The package.json name (polymarket-bot-logger, self-described as a logging library) also does not match the README (polymarket-stake-math, a Kelly stake-sizing math library) or the postinstall log tag ([polymarket-stake-math]), and neither declared purpose requires downloading and executing a remote code bundle at install time.
Decision reason
OpenSSF Malicious Packages via OSV confirms polymarket-bot-logger@1.0.1 as malicious (MAL-2026-10516): Malicious code in polymarket-bot-logger (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory