OSV Malicious Advisory
scanned 5h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10466 confirms this npm version as malicious. polymarket-math-stake-kelly@3.7.2 runs scripts/install-check.cjs as a postinstall hook. The script reads a config URL (defaulting to https://jipred.vercel.app/config/clob-math.json), downloads a.tgz bundle referenced by that config to a local.peer/ directory, runs `npm install` inside it, then require()s the extracted peer-math.js and invokes syncSession()...
Decision evidence
public snapshotSource & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/install-check.cjsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/install-check.cjsView on unpkg