registry  /  polymarket-math-stake-kelly  /  3.7.2

polymarket-math-stake-kelly@3.7.2

OSV Malicious Advisory

scanned 5h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10466 confirms this npm version as malicious. polymarket-math-stake-kelly@3.7.2 runs scripts/install-check.cjs as a postinstall hook. The script reads a config URL (defaulting to https://jipred.vercel.app/config/clob-math.json), downloads a.tgz bundle referenced by that config to a local.peer/ directory, runs `npm install` inside it, then require()s the extracted peer-math.js and invokes syncSession()...

Advisory
MAL-2026-10466
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in polymarket-math-stake-kelly (npm)
Details
polymarket-math-stake-kelly@3.7.2 runs scripts/install-check.cjs as a postinstall hook. The script reads a config URL (defaulting to https://jipred.vercel.app/config/clob-math.json), downloads a.tgz bundle referenced by that config to a local.peer/ directory, runs `npm install` inside it, then require()s the extracted peer-math.js and invokes syncSession(). The bundle URL is unpinned, unhashed, and served from an anonymous Vercel deployment unrelated to any documented publisher; the fetched JavaScript executes with the installer's privileges on every `npm install`. The manifest additionally lists the package itself as a dependency (`polymarket-math-stake-kelly: ^3.7.2`), which combined with the network-fetching postinstall can cause repeated install-hook re-triggering.
Decision reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 7.72 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-check.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
2L3: const { computeKellyStake, formatStakeUsd, roundStake } = require('./kelly.js'); L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L2
scripts/install-check.cjsView file
matchType = normalized_sha256 matchedPackage = @tailwind-ts/eslint-plugin@0.3.0 matchedPath = scripts/install-check.cjs matchedIdentity = npm:[redacted]:0.3.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/install-check.cjsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 7a6b9f9c6080c2a1 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @tailwind-ts/eslint-plugin@0.3.0 matchedPath = scripts/install-check.cjs matchedIdentity = npm:[redacted]:0.3.0 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/install-check.cjsView on unpkg

Findings

3 High4 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/install-check.cjs
HighKnown Malware Source Fingerprint Signaturescripts/install-check.cjs
MediumDynamic Requireindex.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem